From 14257b8291e6b4a473ad9df05f61b04ae20747d5 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Fri, 1 Sep 2023 15:40:14 +0200 Subject: [PATCH 01/38] added again --- .../Azure_Observability/.terraform.lock.hcl | 41 + .../IaCSec/Azure_Observability/aks.tf | 49 + .../IaCSec/Azure_Observability/grafana.tf | 46 + .../Azure_Observability/log_analytics.tf | 9 + .../IaCSec/Azure_Observability/main.tf | 38 + .../IaCSec/Azure_Observability/variables.tf | 37 + .../Kubernetes/db_connector_manifest.yml | 55 ++ .../IaCSec/Kubernetes/kubernetes_manifest.yml | 858 ++++++++++++++++++ .../Kubernetes/kubernetes_manifest_edited.yml | 858 ++++++++++++++++++ .../Kubernetes/kubernetes_service_account.yml | 44 + .../IaCSec/Kubernetes/pod_service_account.yml | 33 + .../IaCSec/Kubernetes/setup_aks.sh | 40 + .../IaCSec/Kubernetes/test_pod.yml | 26 + .../IaCSec/Vault-on-VM/.gitignore | 29 + .../IaCSec/Vault-on-VM/.terraform.lock.hcl | 118 +++ .../IaCSec/Vault-on-VM/LICENSE | 373 ++++++++ .../IaCSec/Vault-on-VM/README.md | 256 ++++++ .../IaCSec/Vault-on-VM/aks_ca.crt | 29 + .../IaCSec/Vault-on-VM/main.tf | 418 +++++++++ .../IaCSec/Vault-on-VM/setup.tpl | 97 ++ .../IaCSec/Vault-on-VM/terraform.tfvars | 29 + .../Vault-on-VM/terraform.tfvars.example | 16 + .../IaCSec/Vault-on-VM/tfplan | Bin 0 -> 17178 bytes .../IaCSec/Vault-on-VM/variables.tf | 63 ++ .../IaCSec/Vault-on-VM/versions.tf | 4 + .../aws-infrastructure/.terraform.lock.hcl | 85 ++ .../cluster-aux-resources/example-pod.yaml | 9 + .../cluster-aux-resources/sarolebinding.yaml | 13 + .../cluster-aux-resources/serviceaccount.yaml | 5 + .../cluster-aux-resources/token | 1 + .../IaCSec/aws-infrastructure/data.tf | 3 + .../IaCSec/aws-infrastructure/eks_module.tf | 67 ++ .../IaCSec/aws-infrastructure/main.tf | 33 + .../IaCSec/aws-infrastructure/rds.tf | 116 +++ .../IaCSec/aws-infrastructure/setenv.ps1 | 0 .../sysdig-eks-agent/sysdig-eks-agent.sh | 12 + .../IaCSec/aws-infrastructure/variables.tf | 45 + .../IaCSec/aws-infrastructure/vpc_module.tf | 205 +++++ .../IaCSec/iacsec-assessment.md | 14 + .../keycloak_webapp/.terraform.lock.hcl | 42 + .../IaCSec/keycloak_webapp/keycloak.tf | 55 ++ .../keycloak_webapp/keycloak_service.yaml | 11 + .../IaCSec/keycloak_webapp/main.tf | 39 + .../IaCSec/keycloak_webapp/variables.tf | 33 + .../IaCSec/mysql_database/main.tf | 36 + .../IaCSec/mysql_database/mysql_database.tf | 50 + .../IaCSec/mysql_database/variables.tf | 24 + src/final-assessment/resources_list.md | 4 + 48 files changed, 4468 insertions(+) create mode 100644 src/final-assessment/IaCSec/Azure_Observability/.terraform.lock.hcl create mode 100644 src/final-assessment/IaCSec/Azure_Observability/aks.tf create mode 100644 src/final-assessment/IaCSec/Azure_Observability/grafana.tf create mode 100644 src/final-assessment/IaCSec/Azure_Observability/log_analytics.tf create mode 100644 src/final-assessment/IaCSec/Azure_Observability/main.tf create mode 100644 src/final-assessment/IaCSec/Azure_Observability/variables.tf create mode 100644 src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml create mode 100644 src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml create mode 100644 src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml create mode 100644 src/final-assessment/IaCSec/Kubernetes/kubernetes_service_account.yml create mode 100644 src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml create mode 100644 src/final-assessment/IaCSec/Kubernetes/setup_aks.sh create mode 100644 src/final-assessment/IaCSec/Kubernetes/test_pod.yml create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/.gitignore create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/.terraform.lock.hcl create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/LICENSE create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/README.md create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/aks_ca.crt create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/main.tf create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/setup.tpl create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars.example create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/tfplan create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/variables.tf create mode 100644 src/final-assessment/IaCSec/Vault-on-VM/versions.tf create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/.terraform.lock.hcl create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/sarolebinding.yaml create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/serviceaccount.yaml create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/token create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/data.tf create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/eks_module.tf create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/main.tf create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/rds.tf create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/setenv.ps1 create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/sysdig-eks-agent/sysdig-eks-agent.sh create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/variables.tf create mode 100644 src/final-assessment/IaCSec/aws-infrastructure/vpc_module.tf create mode 100644 src/final-assessment/IaCSec/iacsec-assessment.md create mode 100644 src/final-assessment/IaCSec/keycloak_webapp/.terraform.lock.hcl create mode 100644 src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf create mode 100644 src/final-assessment/IaCSec/keycloak_webapp/keycloak_service.yaml create mode 100644 src/final-assessment/IaCSec/keycloak_webapp/main.tf create mode 100644 src/final-assessment/IaCSec/keycloak_webapp/variables.tf create mode 100644 src/final-assessment/IaCSec/mysql_database/main.tf create mode 100644 src/final-assessment/IaCSec/mysql_database/mysql_database.tf create mode 100644 src/final-assessment/IaCSec/mysql_database/variables.tf create mode 100644 src/final-assessment/resources_list.md diff --git a/src/final-assessment/IaCSec/Azure_Observability/.terraform.lock.hcl b/src/final-assessment/IaCSec/Azure_Observability/.terraform.lock.hcl new file mode 100644 index 0000000..73a61eb --- /dev/null +++ b/src/final-assessment/IaCSec/Azure_Observability/.terraform.lock.hcl @@ -0,0 +1,41 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.15.0" + constraints = "~> 2.15.0" + hashes = [ + "h1:9VXImUw/N5trbHEQiE2jaRidbN0uMx7K1xNwA4J5rfk=", + "zh:2fde02166f973f14c176aac01346bcce5aaa6fac34e47c83ab5a5bb2da4e554a", + "zh:39f955acc2ae67c2f939cc949e9026b3f2ff04da1ef6f12a080f588a356de2d9", + "zh:40efd3c358046788940560049a22588fb280e4720f77a861148d39e1855f357c", + "zh:6a51776492efb85e5a792e082bceb2fc953ffca8e3c7b9f18b0702dc3b64b704", + "zh:78fc976f020e7859141476fd930b48bc5701c0572db15dda38deb00f6f7698f0", + "zh:79528395629153a84d45a14ecc525115ad17e7d9caab8d4561a5060658aeb8ee", + "zh:cad982edfed3602eb85f3fd39a7783b210fa2786d53e14a0d454c0c2adc57d84", + "zh:e39b7de43f5933e0e9d7eaeb89b5a015880dfe51697cd985ae31198cf08a5c75", + "zh:ecd856ae46e22518c08c5db862844a8ed9052599c099e950e92b02352495c2c9", + "zh:f8a5f15fc6f9d0b1eaeb9bdae2e506e1fc16f18103a314b0acbb3fb62bf86345", + "zh:f984c2024599881e68d234e93951c3a54e849e28e15591f5659e83e480c41beb", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.52.0" + constraints = "3.52.0" + hashes = [ + "h1:atlTwMcGXXF0rKzLNZhKj7djwoKT4b6in+xa2Hz09Y8=", + "zh:0c3029da7454f2fe7058939d95c458d9930842f06430cfcd0713713f3d788216", + "zh:826584f11eaaec7f179e85d9cc4833ec7a1d854ed4883c94317427ddfa7ffd11", + "zh:8fff204176ee1b08d168848d4bd7a051d7fd189688ca8b5f26eb31855ea060a6", + "zh:a170ebe199b93ea1f20357d848dfd0f5e50538236f09939d1a11a61dfbfded0f", + "zh:acea54d715186101f8a7725997578b231e4db50eea0fb9f9868ecd867008e6e6", + "zh:ae0f6a61677282a2f605ca9d0a74a08ae78ae2efeb372a33b9d4c7210fbbfd2c", + "zh:c2c2329f3864e10ee15993c1a48e79bf72d570bb6d08003038a37b73e551dbf9", + "zh:c7a4a117628ff0ad24e9c73f1087e9a02b8eca633b0913ee1687b0b4b5c7f377", + "zh:e1a290e708e7dbbde8747a98680f7a1aace97694a243ba7a11cc5c77e982e9cc", + "zh:e82aa1c5e8ead3087968d7f44b6f644ef3092a0d243b4b575ff8847616e290b3", + "zh:f4d57d3c5f3c7fe064b88151036037b7852be6bcfa661e3f4fe0fda2871006d9", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/src/final-assessment/IaCSec/Azure_Observability/aks.tf b/src/final-assessment/IaCSec/Azure_Observability/aks.tf new file mode 100644 index 0000000..6fde47d --- /dev/null +++ b/src/final-assessment/IaCSec/Azure_Observability/aks.tf @@ -0,0 +1,49 @@ + + +resource "azurerm_kubernetes_cluster" "aks_cluster" { + name = "aks-cluster" + location = var.observability_rg.location + resource_group_name = var.observability_rg.name + sku_tier = "Free" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "standard_d2_v2" + } + +// Add role assignment for azure user + identity { + type = "SystemAssigned" + } + + # Uses Azure AD to authenticate users to K8s, refer to: https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal + # azure_active_directory_role_based_access_control { + # managed = true + # // it should be a group id, i've used my own object id + # admin_group_object_ids = ["9bd70693-8b50-432a-8876-a8096e9fb4b6"] + # azure_rbac_enabled = true + # } + + network_profile { + network_plugin = "azure" + } + + http_application_routing_enabled = true + + oms_agent { + log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id + } + + linux_profile { + admin_username = "adminuser" + ssh_key { + key_data = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuE9WgQR2C4zPDRLDoMiSgqbsdXjgPFT5YkJFAmnyBO9oIoosAe/s2MBZkasz3IcW3/yrH8r8y4c7UTkAu1dzv+CJNS7Axcg2PNXUdTdZCZp0WHgeLMtlzLHWZRFltVP9wHuM3n206IyJ2iSm3sY8ZfViHWoo6bjHb0cOYL/+vEk7Chvces0gUwHTSTKFuX68x1iWRKTgxqQRSS7yz3wZqB+OxAVLvt7fHGV6nWDGVHsErXXFU7QKUvZQ//cKu1U/dMED3JWKWJEthHqCFOgPQ4PWc0kRe5l6CF+NrzfPKJT8cN9XcNj6kOUu2dMMQx3px6Mr5VjV/0xNQmmoZm0M2YCaq3mbpQEM7fO4xCKJRAlKai/q12N0/DCC4t1CxUhqhyvwiL/O1drOqhFEmsB7Yg+/FiynFjZqvt78RE3gP7t7xmBVRckDSRWTbTQqaLMNryuu6+gEXamOF0pPNCpmSPizCRd1t3D/x13IFHjVqzF9QbGRg0dYcV55izrHvatxRcggfEdBH1DTtuwWV3LftueNeXplRRUcq2MTF1SJQkHhnPzezLwQr9pGVKSFT2QjS5q67MAfK7gC7tSqoT6SVhRd4LFtH2spubLqZnLAN/OBK/atbJn3LVTxKFDd23eDTrwH7R20FUkyNmDYvDvRudlZDGQFs76msZtvcKZgb2Q== runcor3@LAPTOP-36GVQ98F" + } + } + + dns_prefix = "observability-aks" + + depends_on = [azurerm_log_analytics_workspace.log_analytics_workspace, + azurerm_resource_group.observability_rg] +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/Azure_Observability/grafana.tf b/src/final-assessment/IaCSec/Azure_Observability/grafana.tf new file mode 100644 index 0000000..6362547 --- /dev/null +++ b/src/final-assessment/IaCSec/Azure_Observability/grafana.tf @@ -0,0 +1,46 @@ +data "azurerm_subscription" "primary" {} + + +resource "azurerm_dashboard_grafana" "grafana-dashboard" { + name = var.grafana-dashboard.name + resource_group_name = var.observability_rg.name + location = var.grafana-dashboard.location + + auto_generated_domain_name_label_scope = "TenantReuse" + public_network_access_enabled = true + api_key_enabled = false + deterministic_outbound_ip_enabled = false + zone_redundancy_enabled = false + + sku = "Standard" + + identity { + type = "SystemAssigned" + } + + depends_on = [azurerm_resource_group.observability_rg] +} + + +// Works, evaluate how to remove hardcoded principal id (probably the commented line is enough) +resource "azurerm_role_assignment" "grafana-reader-role-assignment" { + #name = "monitoring-reader-role-assignment" + scope = data.azurerm_subscription.primary.id + principal_id = azurerm_dashboard_grafana.grafana-dashboard.identity[0].principal_id + #principal_id = "84edb984-ec6d-46ab-b236-83d3185ee2ad" + role_definition_name = "Monitoring Reader" +} + + +data "azuread_user" "ad_user" { + #user_principal_name = "s297014@studenti.polito.it" + user_principal_name = "ma.colotti_reply.it#EXT#@francescoborgognihotmailit.onmicrosoft.com" +} + +// "Grafana Admin" role should work, principal Id should be my own account +resource "azurerm_role_assignment" "grafana-admin-role-assignment" { + # name = "monitoring-admin-role-assignment" + scope = azurerm_dashboard_grafana.grafana-dashboard.id + principal_id = data.azuread_user.ad_user.id + role_definition_name = "Grafana Admin" +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/Azure_Observability/log_analytics.tf b/src/final-assessment/IaCSec/Azure_Observability/log_analytics.tf new file mode 100644 index 0000000..8328ede --- /dev/null +++ b/src/final-assessment/IaCSec/Azure_Observability/log_analytics.tf @@ -0,0 +1,9 @@ + +resource "azurerm_log_analytics_workspace" "log_analytics_workspace" { + name = var.log-analytics-workspace.name + location = var.log-analytics-workspace.location + resource_group_name = var.observability_rg.name + sku = "PerGB2018" + + depends_on = [azurerm_resource_group.observability_rg] +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/Azure_Observability/main.tf b/src/final-assessment/IaCSec/Azure_Observability/main.tf new file mode 100644 index 0000000..13e7942 --- /dev/null +++ b/src/final-assessment/IaCSec/Azure_Observability/main.tf @@ -0,0 +1,38 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.52.0" + } + + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + } + + backend "azurerm" { + resource_group_name = "terraform-rg" + storage_account_name = "terraformbackendmanuel" + container_name = "tfstate" + key = "terraform.tfstate_observability" + } +} + + +provider "azurerm" { + subscription_id = var.credentials["subscription_id"] + client_id = var.credentials["client_id"] + client_secret = var.azure_sp_key + tenant_id = var.credentials["tenant_id"] + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} + +resource "azurerm_resource_group" "observability_rg" { + name = var.observability_rg.name + location = var.observability_rg.location +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/Azure_Observability/variables.tf b/src/final-assessment/IaCSec/Azure_Observability/variables.tf new file mode 100644 index 0000000..53b5077 --- /dev/null +++ b/src/final-assessment/IaCSec/Azure_Observability/variables.tf @@ -0,0 +1,37 @@ +variable "azure_sp_key" {} + +variable "credentials" { + description = "Azure Service Provider Credentials" + type = map(string) + default = { + subscription_id = "945fc713-dc5d-4ba6-9b6b-2f1fb2225b19" + tenant_id = "c5179d57-9fa0-4d70-bf82-c3e49fc377d9" + client_id = "8267d52d-29b9-4a06-ac44-1c6743c8b010" + } +} + + +variable "observability_rg" { + description = "Observavility Resource Group" + type = map(string) + default = { + name = "observability_rg" + location = "westeurope" + } +} + +variable "log-analytics-workspace" { + type = map(string) + default = { + name = "log-analytics-workspace" + location = "westeurope" + } +} + +variable "grafana-dashboard" { + type = map(string) + default = { + name = "grafana-dashboard" + location = "westeurope" + } +} diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml new file mode 100644 index 0000000..70d1f4c --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -0,0 +1,55 @@ +# Load Balancer Service +apiVersion: v1 +kind: Service +metadata: + name: db-external +spec: + type: LoadBalancer + selector: + app: db-connector + ports: + - name: db-connector + port: 8888 + targetPort: 8888 +--- +# Internal Service +apiVersion: v1 +kind: Service +metadata: + name: db-connector +spec: + type: ClusterIP + selector: + app: db-connector + ports: + - name: custom-port + port: 8888 + targetPort: 8888 +--- +# Spring App Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: db-connector +spec: + replicas: 1 + selector: + matchLabels: + app: db-connector + template: + metadata: + labels: + app: db-connector + spec: + containers: + - name: db-connector + image: runcor3/db_connector:latest + ports: + - containerPort: 8888 + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c"] + args: ["export KUBE_TOKEN=/var/run/secrets/kubernetes.io/serviceaccount/token"] + + diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml new file mode 100644 index 0000000..26b7549 --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml @@ -0,0 +1,858 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ---------------------------------------------------------- +# WARNING: This file is autogenerated. Do not manually edit. +# ---------------------------------------------------------- + +# [START gke_release_kubernetes_manifests_microservices_demo] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/emailservice:v0.6.0 + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.6.0 + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.6.0 + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: DISABLE_PROFILER + value: "1" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/frontend:v0.6.0 + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem, alibaba + # # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp + - name: ENV_PLATFORM + value: "azure" + - name: ENABLE_PROFILER + value: "0" + # - name: CYMBAL_BRANDING + # value: "true" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.6.0 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.6.0 + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/cartservice:v0.6.0 + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 1 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + restartPolicy: Always + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - command: + - /bin/sh + - -exc + - | + echo "Init container pinging frontend: ${FRONTEND_ADDR}..." + STATUSCODE=$(wget --server-response http://${FRONTEND_ADDR} 2>&1 | awk '/^ HTTP/{print $2}') + if test $STATUSCODE -ne 200; then + echo "Error: Could not reach frontend - Status code: ${STATUSCODE}" + exit 1 + fi + name: frontend-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: busybox:latest + env: + - name: FRONTEND_ADDR + value: "frontend:80" + containers: + - name: main + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.6.0 + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.6.0 + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.6.0 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: redis + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/adservice:v0.6.0 + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 +# [END gke_release_kubernetes_manifests_microservices_demo] diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml new file mode 100644 index 0000000..26b7549 --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml @@ -0,0 +1,858 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ---------------------------------------------------------- +# WARNING: This file is autogenerated. Do not manually edit. +# ---------------------------------------------------------- + +# [START gke_release_kubernetes_manifests_microservices_demo] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/emailservice:v0.6.0 + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.6.0 + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.6.0 + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: DISABLE_PROFILER + value: "1" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/frontend:v0.6.0 + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem, alibaba + # # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp + - name: ENV_PLATFORM + value: "azure" + - name: ENABLE_PROFILER + value: "0" + # - name: CYMBAL_BRANDING + # value: "true" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.6.0 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.6.0 + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/cartservice:v0.6.0 + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 1 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + restartPolicy: Always + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - command: + - /bin/sh + - -exc + - | + echo "Init container pinging frontend: ${FRONTEND_ADDR}..." + STATUSCODE=$(wget --server-response http://${FRONTEND_ADDR} 2>&1 | awk '/^ HTTP/{print $2}') + if test $STATUSCODE -ne 200; then + echo "Error: Could not reach frontend - Status code: ${STATUSCODE}" + exit 1 + fi + name: frontend-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: busybox:latest + env: + - name: FRONTEND_ADDR + value: "frontend:80" + containers: + - name: main + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.6.0 + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.6.0 + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.6.0 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + - name: DISABLE_PROFILER + value: "1" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: redis + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + serviceAccountName: default + terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/adservice:v0.6.0 + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 +# [END gke_release_kubernetes_manifests_microservices_demo] diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_service_account.yml new file mode 100644 index 0000000..f4f2424 --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_service_account.yml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-service-account + namespace: default + + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vault-role +rules: +- apiGroups: [""] + resources: ["pods", "deployments", "services", "replicationcontrollers", "persistentvolumes", "persistentvolumeclaims", "configmaps", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["replicasets", "statefulsets", "daemonsets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vault-role +subjects: +- kind: ServiceAccount + name: vault-service-account + namespace: default diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml new file mode 100644 index 0000000..c1d13c1 --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sa-pod +spec: + serviceAccountName: vault-service-account + containers: + - name: ubuntu + image: ubuntu + env: + # - name: VAULT_ADDR + # value: "http://192.168.65.2:8200" + - name: VAULT_ROLE + value: internal-app + command: ["sleep", "infinity"] + securityContext: + runAsUser: 0 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + volumeMounts: + - name: shared-data + mountPath: /data + volumes: + - name: shared-data + emptyDir: {} + + + + + + diff --git a/src/final-assessment/IaCSec/Kubernetes/setup_aks.sh b/src/final-assessment/IaCSec/Kubernetes/setup_aks.sh new file mode 100644 index 0000000..f2f79b7 --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/setup_aks.sh @@ -0,0 +1,40 @@ +#!/bin/bash +az login + +# Automatic configuration of local kubectl +az aks get-credentials -g aks-resource-group -n aks-cluster + +kubectl get nodes + +# Deploy Service Account and Test Pod +#kubectl apply -f ./kubernetes_service_account.yml +#kubectl apply -f ./pod_service_account.yml + +# Deploy Online Boutique +#kubectl apply -f ./kubernetes_manifest_edited.yml + +# Deploy Spring DB Connector microservice +#kubectl apply -f ./db_connector_manifest.yml + +# Deploy Kubernetes Dashboard +#kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml + +echo "Dashboard URL: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/" + +#Deploy Sysdig Agent +# helm repo add sysdig https://charts.sysdig.com +# helm repo update +# helm install sysdig-agent --namespace sysdig-agent --create-namespace \ +# --set global.sysdig.accessKey=fd19e5cc-9261-4c5f-827e-bbc855c83861 \ +# --set global.sysdig.region=eu1 \ +# --set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \ +# --set global.kspm.deploy=true \ +# --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \ +# --set global.clusterConfig.name=aks-cluster \ +# sysdig/sysdig-deploy + +# Proxy access to kubernetes dashboard +#kubectl proxy + + +# Dashboard: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ \ No newline at end of file diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml new file mode 100644 index 0000000..94e8231 --- /dev/null +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: ubuntu-curl-pod +spec: + containers: + - name: ubuntu + image: ubuntu + command: ["sleep", "infinity"] + securityContext: + runAsUser: 0 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + volumeMounts: + - name: shared-data + mountPath: /data + volumes: + - name: shared-data + emptyDir: {} + + + + + diff --git a/src/final-assessment/IaCSec/Vault-on-VM/.gitignore b/src/final-assessment/IaCSec/Vault-on-VM/.gitignore new file mode 100644 index 0000000..7a3e2fd --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/.gitignore @@ -0,0 +1,29 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* diff --git a/src/final-assessment/IaCSec/Vault-on-VM/.terraform.lock.hcl b/src/final-assessment/IaCSec/Vault-on-VM/.terraform.lock.hcl new file mode 100644 index 0000000..b288be4 --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/.terraform.lock.hcl @@ -0,0 +1,118 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.29.0" + constraints = "~> 2.29.0" + hashes = [ + "h1:9iqybcju7yDZEQUpfAi4wMNX7JBi8VXgx8ktk7wjtJQ=", + "zh:049f0b90042679247ebe9ae8e4e7bbcadd0d8764a2d9f6b7c84b0985a0550da9", + "zh:0d1e0a64c36451b77a6208a02a586e4f39960adc1d2db867383adeafaaf170bb", + "zh:124a019672dcde52f98bc6f2160b764be92b1648b172e08d454a5e938e7d78fd", + "zh:1b7dae68749615039a3dd2fd00398f6a283eea79ae69843a7420da31937c14b9", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:3f119ac8244d58208e7e0ad24924ae7ea7e5b6f2b0049ddf79e9fbc13bbf4c5f", + "zh:59c8d53cf3a0c132fa4e1ee14358a4a1670af35c5a4ba4da8701cb6bce9b09fa", + "zh:5a4d0a6fe3f9d6e612e7bb1a4845c55efea906e09e4fd7b9883d67add27af1ab", + "zh:79c42325602cff91aabc8000fcece3f808b152b2e839c9add63c83cf60ed91fb", + "zh:a77b87f9fc87bb9fa892bb0a3fa695f3ad57dbd35831ead9dc8709bc5fc9f002", + "zh:ab5b1c823375aa5ee002081f72e28bd15cafecb47b546247b45fb3e165aa7bdb", + "zh:efa4091ed8f124d261b3771259f28ca70fd926096445c0d6457342cb2f72092d", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.52.0" + constraints = "3.52.0" + hashes = [ + "h1:atlTwMcGXXF0rKzLNZhKj7djwoKT4b6in+xa2Hz09Y8=", + "zh:0c3029da7454f2fe7058939d95c458d9930842f06430cfcd0713713f3d788216", + "zh:826584f11eaaec7f179e85d9cc4833ec7a1d854ed4883c94317427ddfa7ffd11", + "zh:8fff204176ee1b08d168848d4bd7a051d7fd189688ca8b5f26eb31855ea060a6", + "zh:a170ebe199b93ea1f20357d848dfd0f5e50538236f09939d1a11a61dfbfded0f", + "zh:acea54d715186101f8a7725997578b231e4db50eea0fb9f9868ecd867008e6e6", + "zh:ae0f6a61677282a2f605ca9d0a74a08ae78ae2efeb372a33b9d4c7210fbbfd2c", + "zh:c2c2329f3864e10ee15993c1a48e79bf72d570bb6d08003038a37b73e551dbf9", + "zh:c7a4a117628ff0ad24e9c73f1087e9a02b8eca633b0913ee1687b0b4b5c7f377", + "zh:e1a290e708e7dbbde8747a98680f7a1aace97694a243ba7a11cc5c77e982e9cc", + "zh:e82aa1c5e8ead3087968d7f44b6f644ef3092a0d243b4b575ff8847616e290b3", + "zh:f4d57d3c5f3c7fe064b88151036037b7852be6bcfa661e3f4fe0fda2871006d9", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.4.0" + hashes = [ + "h1:7RnIbO3CFakblTJs7o0mUiY44dc9xGYsLhSNFSNS1Ds=", + "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", + "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", + "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35", + "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04", + "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406", + "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6", + "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7", + "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2", + "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc", + "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.3" + constraints = "~> 3.1.2" + hashes = [ + "h1:d4M8bOY9r99suD5EYfdZUvbhtq6hzCHa2SeY+T+IRlA=", + "zh:26e07aa32e403303fc212a4367b4d67188ac965c37a9812e07acee1470687a73", + "zh:27386f48e9c9d849fbb5a8828d461fde35e71f6b6c9fc235bc4ae8403eb9c92d", + "zh:5f4edda4c94240297bbd9b83618fd362348cadf6bf24ea65ea0e1844d7ccedc0", + "zh:646313a907126cd5e69f6a9fafe816e9154fccdc04541e06fed02bb3a8fa2d2e", + "zh:7349692932a5d462f8dee1500ab60401594dddb94e9aa6bf6c4c0bd53e91bbb8", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9034daba8d9b32b35930d168f363af04cecb153d5849a7e4a5966c97c5dc956e", + "zh:bb81dfca59ef5f949ef39f19ea4f4de25479907abc28cdaa36d12ecd7c0a9699", + "zh:bcf7806b99b4c248439ae02c8e21f77aff9fadbc019ce619b929eef09d1221bb", + "zh:d708e14d169e61f326535dd08eecd3811cd4942555a6f8efabc37dbff9c6fc61", + "zh:dc294e19a46e1cefb9e557a7b789c8dd8f319beca99b8c265181bc633dc434cc", + "zh:f9d758ee53c55dc016dd736427b6b0c3c8eb4d0dbbc785b6a3579b0ffedd9e42", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + constraints = "~> 2.2.0" + hashes = [ + "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.4" + hashes = [ + "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=", + "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", + "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", + "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", + "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", + "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", + "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", + "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", + "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", + "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", + "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", + "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/src/final-assessment/IaCSec/Vault-on-VM/LICENSE b/src/final-assessment/IaCSec/Vault-on-VM/LICENSE new file mode 100644 index 0000000..a612ad9 --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/LICENSE @@ -0,0 +1,373 @@ +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/src/final-assessment/IaCSec/Vault-on-VM/README.md b/src/final-assessment/IaCSec/Vault-on-VM/README.md new file mode 100644 index 0000000..7a2dde3 --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/README.md @@ -0,0 +1,256 @@ +# Auto-unseal using Azure Key Vault + +These assets are provided to perform the tasks described in the [Auto-unseal with Azure Key Vault](https://learn.hashicorp.com/vault/operations/autounseal-azure-keyvault) guide. + +In addition, a script is provided so that you can enable and test `azure` auth method. (_Optional_) + +--- + +## Prerequisites + +- Microsoft Azure account +- [Terraform installed](https://www.terraform.io/downloads.html) and ready to use + +
+ +**Terraform Azure Provider Prerequisites** + +A ***service principal*** is an application within Azure Active Directory which +can be used to authenticate. Service principals are preferable to running an app +using your own credentials. Follow the instruction in the [Terraform +documentation](https://www.terraform.io/docs/providers/azurerm/auth/service_principal_client_certificate.html) +to create a service principal and then configure in Terraform. + +Tips: + +- **Subscription ID**: Navigate to the [Subscriptions blade within the Azure + Portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) + and copy the **Subscription ID** + +- **Tenant ID**: Navigate to the [Azure Active Directory > + Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties) + in the Azure Portal, and copy the **Directory ID** which is your tenant ID + +- **Client ID**: Same as the [**Application + ID**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ApplicationsListBlade) + +- **Client secret**: The [password + (credential)](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ApplicationsListBlade) + set on your application + +> **IMPORTANT:** Ensure that your Service Principal has appropriate permissions to provision virtual machines, networks, as well as **Azure Key Vault**. Refer to the [Azure documentation](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). + +## Auto-unseal Steps + +1. Set this location as your working directory + +1. Provide Azure credentials in the `terraform.tfvars.example` and save it as `terraform.tfvars` + + > NOTE: Overwrite the Azure `location` or `environment` name in the `terraform.tfvars` as desired. + +1. Run the Terraform commands: + + ```shell + # Pull necessary plugins + $ terraform init + + $ terraform plan -out tfplan + ... + Outputs: + + ip = 13.82.62.56 + key_vault_name = Test-vault-1e5a88de + ssh-addr = + Connect to your virtual machine via SSH: + + $ ssh azureuser@13.82.62.562 + ``` + +1. SSH into the virtual machine: + + ```plaintext + $ ssh azureuser@13.82.62.562 + ``` + +1. Check the current Vault status: + + ```text + $ vault status + Key Value + --- ----- + Recovery Seal Type azurekeyvault + Initialized false + Sealed true + Total Recovery Shares 0 + Threshold 0 + Unseal Progress 0/0 + Unseal Nonce n/a + Version n/a + HA Enabled false + ``` + + Vault hasn't been initialized, yet. + +1. Initialize Vault + + ```plaintext + $ vault operator init + + Recovery Key 1: + Recovery Key 2: + Recovery Key 3: + Recovery Key 4: + Recovery Key 5: + + Initial Root Token: + + Success! Vault is initialized + + Recovery key initialized with 5 key shares and a key threshold of 3. Please + securely distribute the key shares printed above. + ``` + +1. Stop and start the Vault server + + ```shell + $ sudo systemctl restart vault + ``` + +1. Check to verify that the Vault is auto-unsealed + + ```text + $ vault status + Key Value + --- ----- + Recovery Seal Type shamir + Initialized true + Sealed false + Total Recovery Shares 5 + Threshold 3 + Version 1.5.0 + Cluster Name vault-cluster-092ba5de + Cluster ID 8b173565-7d74-fe5b-a199-a2b56b7019ee + HA Enabled false + ``` + +1. Explore the Vault configuration file + + ```plaintext + $ sudo cat /etc/vault.d/vault.hcl + + ui = true + disable_mlock = true + + api_addr = "http://VAULT-IP-ADDRESS:8200" + cluster_addr = "http://VAULT-IP-ADDRESS:8201" + + storage "file" { + path = "/opt/vault/data" + } + + listener "tcp" { + address = "0.0.0.0:8200" + cluster_address = "0.0.0.0:8201" + tls_disable = 1 + telemetry { + unauthenticated_metrics_access = true + } + } + + # enable the telemetry endpoint. + # access it at http://:8200/v1/sys/metrics?format=prometheus + # see https://www.vaultproject.io/docs/configuration/telemetry + # see https://www.vaultproject.io/docs/configuration/listener/tcp#telemetry-parameters + telemetry { + disable_hostname = true + prometheus_retention_time = "24h" + } + + # enable auto-unseal using the azure key vault. + seal "azurekeyvault" { + client_id = "YOUR-AZURE-APP-ID" + client_secret = "YOUR-AZURE-APP-PASSWORD" + tenant_id = "YOUR-AZURE-TENANT-ID" + vault_name = "Test-vault-xxxx" + key_name = "generated-key" + } + ``` + +## Azure Auth Method Steps + +The `azure` auth method allows authentication against Vault using Azure Active Directory credentials. + +1. First, log into Vault using the generated initial root token: + + ```plaintext + $ vault login s.bRyEk2vIPrKfeldFZD5xFvUL + ``` + +1. Explore the `/tmp/azure_auth.sh` file + + ```plaintext + $ cat /tmp/azure_auth.sh + ``` + + This script performs the following: + + - Enable the Azure auth method at `azure` + - Configure the Azure auth method + - Create a role named `dev-role` with `default` policy + - Finally, log into Vault using as `dev-role` to obtain a Vault client token + +1. Execute the script + + ```plaintext + $ /tmp/azure_auth.sh + ... + Key Value + --- ----- + token s.xYqTKUSivsKiwNwXv6wz9LUJ + token_accessor 0dua5lTuYkAyQakJiy0oKJW5 + token_duration 768h + token_renewable true + token_policies ["default"] + identity_policies [] + policies ["default"] + token_meta_resource_group_name learn-vault-rg + token_meta_role dev-role + token_meta_subscription_id YOUR-AZURE-SUBSCRIPTION-ID + token_meta_vm_name azure-auth-demo-vm + ``` + + A valid service token is generated. + + ```plaintext + $ vault token lookup s.xYqTKUSivsKiwNwXv6wz9LUJ + + Key Value + --- ----- + accessor 0dua5lTuYkAyQakJiy0oKJW5 + creation_time 1548279674 + creation_ttl 768h + display_name azure-cc47203d-6c51-4498-9c3d-5e2874eca6fb + entity_id 7009136d-2eee-0414-61f9-e705a9f299ef + expire_time 2019-02-24T21:41:14.231599224Z + explicit_max_ttl 0s + id s.xYqTKUSivsKiwNwXv6wz9LUJ + issue_time 2019-01-23T21:41:14.231598924Z + meta map[resource_group_name:learn-vault-rg role:dev-role subscription_id:YOUR-AZURE-SUBSCRIPTION-ID vm_name:azure-auth-demo-vm] + num_uses 0 + orphan true + path auth/azure/login + policies [default] + renewable true + ttl 767h59m48s + type service + ``` + +## Clean up + +Run `terraform destroy` when you are done exploring: + +```plaintext +$ terraform destroy -auto-approve + +$ rm -rf .terraform terraform.tfstate* +``` diff --git a/src/final-assessment/IaCSec/Vault-on-VM/aks_ca.crt b/src/final-assessment/IaCSec/Vault-on-VM/aks_ca.crt new file mode 100644 index 0000000..f331b4c --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/aks_ca.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6DCCAtCgAwIBAgIQAof5BQJLoeMKk4seL/4c1zANBgkqhkiG9w0BAQsFADAN +MQswCQYDVQQDEwJjYTAgFw0yMzA1MjMwOTIyNDRaGA8yMDUzMDUyMzA5MzI0NFow +DTELMAkGA1UEAxMCY2EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCo +mtCDZCc53g0W4/dsS+RC+P0Kf3k1PUEm4tnAjQi0fNXCQ+X6k91vB8fnuk/4hy3C +9H1J1c6zOI4Ln2rqpsJZINXc9AU56Sc56xpPWW/53K6jcerw0DQcg/j7Uc3ocimh +ajXfYr2v+ktrcKgO9Idz1+t0F45uXD4ya65c+eV6//Taeti2CWvKAqBYacPqsC2o +8pKxa/x0BF0HPgCRgeZ8FCqyvQPw1yRXhO/DEA9qoJa4YhLZgdEMYIlmcjeat/SQ +jneljh2zZgAKDkrrunz8etzq2DwljA+SnsgXe00qUdkt9SGLdSdnBi10K6DkcDPe +gLjbtlEe2ddRwJtJ7ukZ+0LqUZgDNlBb3qpOGDrNMgM+TPhkMEwo7Z+nwmrqHZBo +flZUrWoYM3bgKDqSt72WmgnL7GOXtOigG9lFOlNqM3IywpLtPHoEIm/4vRCpJLh0 +0wVOaN4U+95uctdcYhp670TD3m4bGgn5Wj7yzNgbWUHJhfqr0V0ddSlUoXB0/9OE ++5UvdQEhPe85wHqREsQF54sfKtzYGyKS7B4OWd8CrN21n8GbZbzwpOEgca+MHWhk +7CX5Hen2sDLOgPR01yj9calededRWJBFVne4iKcSwkq1vJ00E0UnLbIbwz7edIid +PCxXDLjSZ9MnAMyvPFYipzHb/qB/FzbZDmGlUuf4ZQIDAQABo0IwQDAOBgNVHQ8B +Af8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmeikroaB4YU84nNx +JNJ1pU5I/TcwDQYJKoZIhvcNAQELBQADggIBAAmtxyNlMwixMEm2XQU3afV1bCZc +17yH9u4Yvt6uWxpgh7nlNGep2/Jxp+cCHGmVo4OyIAOgSutvLEKkBpCUWltOVgIq +ECQ9sSI4YEv8c+LiPzwMgMkUijs9lR6gXYNtwTH3KGAl6IG63jXjRwbFE0TSN3Kx +CMpXC74/y6VzjPknqHBvljdEB1Ql/qhsc/OukMKnLQ7sG4QlaGqI4suUqPdWv8jV +XyLsR3PdBncWmu2yM53ndG0Ru/QNqHiCbn8YjB0eG6JlhJFhVy52OotewqOymkz1 +/RuUJFeIwTdRr/q3NmRTrJF8PlFhM+29rH1QxJv2KK4I67pAxUFHUV7ycqmIWq5/ +jkivEsBxO+HxJRgGtW6EipJ72SdLBQUys1Ng9YyJbgX7pnWIlXhIFeVDHzVoeUZj +B3Rhnsu0mVkEqXC1To0FldeU8xptJXkVhPccPkR6WO4Opbx9uY5PrcrnbOrj5IkE +rIZhX6VNN19O9k+swDiw/ukBhxkvqTdZn5MFuVZMmJ1zM2GgaSNmCFCThQr3wud5 +Ms5gUWJ3DkJ85v4KEDDGv5cqptjr3C9Q/pY58MlBnCf/nIGHxVvClIp8pA4oxIFM +2mlaj6GR+pbHVy0hrFefJWvFLr7AxGRdSBpzOPcobP5FrVAj0fYju2mieFMe6bET +7jb5XBY607kGKip2 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf new file mode 100644 index 0000000..87be94d --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -0,0 +1,418 @@ +# see https://github.com/hashicorp/terraform +terraform { + required_version = ">= 1.1.7" + required_providers { + template = "~> 2.2.0" + random = "~> 3.1.2" + azurerm = { + source = "hashicorp/azurerm" + version = "3.52.0" + } + azuread = "~> 2.29.0" + } + + backend "azurerm" { + resource_group_name = "terraform" + storage_account_name = "terraformstate1603709092" + container_name = "tfstate" + key = "terraform.tfstate_vault_vm" + } +} + +# see https://github.com/terraform-providers/terraform-provider-azurerm +provider "azurerm" { + subscription_id = var.credentials["subscription_id"] + client_id = var.credentials["client_id"] + client_secret = var.azure_sp_key + tenant_id = var.credentials["tenant_id"] + features {} +} + + + + +resource "azurerm_resource_group" "vault" { + name = var.resource_group_name + location = var.location +} + +resource "random_id" "keyvault" { + byte_length = 4 +} + +data "azurerm_client_config" "current" { +} + +data "azuread_service_principal" "vault" { + application_id = var.client_id +} + +############################ + # CERTIFICATES +############################ + +resource "tls_private_key" "private" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "tls_self_signed_cert" "cert" { + private_key_pem = tls_private_key.private.private_key_pem + validity_period_hours = 87600 + + # Reasonable set of uses for a server SSL certificate. + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + ] + + ip_addresses = [ + "127.0.0.1" + ] + + dns_names = ["${azurerm_key_vault.vault.name}.${var.location}.azurecontainer.io"] + + subject { + common_name = "${azurerm_key_vault.vault.name}.${var.location}.azurecontainer.io" + organization = "Test Organization, Inc" + } +} + +resource "local_file" "key" { + content = tls_private_key.private.private_key_pem + filename = "${path.module}/vault-cert.key" +} + +resource "local_file" "cert" { + content = tls_self_signed_cert.cert.cert_pem + filename = "${path.module}/vault-cert.crt" +} + + + + ########################### + # VAULT + ########################### + +resource "azurerm_key_vault" "vault" { + name = "azure-vault-${random_id.keyvault.hex}" + location = azurerm_resource_group.vault.location + resource_group_name = azurerm_resource_group.vault.name + tenant_id = var.tenant_id + + # enable virtual machines to access this key vault. + # NB this identity is used in the example /tmp/azure_auth.sh file. + # vault is actually using the vault service principal. + enabled_for_deployment = true + + sku_name = "standard" + + # access policy for the hashicorp vault service principal. + access_policy { + tenant_id = var.tenant_id + object_id = data.azuread_service_principal.vault.object_id + + key_permissions = [ + "Get", "List", "Create", "Delete", "Update", "WrapKey", "UnwrapKey", "GetRotationPolicy", "Purge", + ] + } + + # access policy for the user that is currently running terraform. + access_policy { + tenant_id = var.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "Get", "List", "Create", "Delete", "Update", "WrapKey", "UnwrapKey", "GetRotationPolicy", "Purge", + ] + } + + # TODO does this really need to be so broad? can it be limited to the vault vm? + network_acls { + default_action = "Allow" + bypass = "AzureServices" + } +} + +# TODO the "generated" resource name is not very descriptive; why not use "vault" instead? +# hashicorp vault will use this azurerm_key_vault_key to wrap/encrypt its master key. +resource "azurerm_key_vault_key" "generated" { + name = var.key_name + key_vault_id = azurerm_key_vault.vault.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] +} + +output "key_vault_name" { + value = azurerm_key_vault.vault.name +} + +############################ + # VAULT VM NEEDED RESOURCES +############################ +resource "azurerm_virtual_network" "tf_network" { + name = "network-${random_id.keyvault.hex}" + address_space = ["10.0.0.0/16"] + location = var.location + resource_group_name = azurerm_resource_group.vault.name +} + +resource "azurerm_subnet" "tf_subnet" { + name = "subnet-${random_id.keyvault.hex}" + resource_group_name = azurerm_resource_group.vault.name + virtual_network_name = azurerm_virtual_network.tf_network.name + address_prefixes = ["10.0.1.0/24"] +} + +resource "azurerm_public_ip" "tf_publicip" { + name = "ip-${random_id.keyvault.hex}" + location = var.location + resource_group_name = azurerm_resource_group.vault.name + allocation_method = "Dynamic" +} + +resource "azurerm_network_security_group" "tf_nsg" { + name = "nsg-${random_id.keyvault.hex}" + location = var.location + resource_group_name = azurerm_resource_group.vault.name + + security_rule { + name = "SSH" + priority = 1001 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + security_rule { + name = "Vault" + priority = 1002 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "8200" + source_address_prefix = "*" + destination_address_prefix = "*" + } + + security_rule { + name = "Consul" + priority = 1003 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "8500" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_network_interface" "tf_nic" { + name = "nic-${random_id.keyvault.hex}" + location = var.location + resource_group_name = azurerm_resource_group.vault.name + + ip_configuration { + name = "nic-${random_id.keyvault.hex}" + subnet_id = azurerm_subnet.tf_subnet.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.tf_publicip.id + } +} + +resource "azurerm_network_interface_security_group_association" "tf_nisga" { + network_interface_id = azurerm_network_interface.tf_nic.id + network_security_group_id = azurerm_network_security_group.tf_nsg.id +} + +resource "random_id" "tf_random_id" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = azurerm_resource_group.vault.name + } + + byte_length = 8 +} + +############################ + # STORAGE ACCOUNT AND FILE SHARE +############################ + +resource "azurerm_storage_account" "tf_storageaccount" { + name = "sa${random_id.keyvault.hex}" + resource_group_name = azurerm_resource_group.vault.name + location = var.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_storage_share" "vault" { + name = "vault-data" + storage_account_name = azurerm_storage_account.tf_storageaccount.name + quota = 5 + depends_on = [ + azurerm_storage_account.tf_storageaccount + ] +} + +############################ + # FILE SHARE DIRECTORY +############################ + +resource "azurerm_storage_share_directory" "vault" { + name = "certs" + share_name = azurerm_storage_share.vault.name + storage_account_name = azurerm_storage_account.tf_storageaccount.name + depends_on = [ + azurerm_storage_share.vault + ] +} + +############################ + # VM TEMPLATE FILE +############################ + +data "template_file" "setup" { + template = file("${path.module}/setup.tpl") + + vars = { + resource_group_name = "vault-vm-rg" + vm_name = var.vm_name + vault_version = var.vault_version + tenant_id = var.tenant_id + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + vault_name = azurerm_key_vault.vault.name + key_name = var.key_name + } +} + +############################ + # STORAGE ACCOUNT UAI +############################ + +# resource "azurerm_user_assigned_identity" "storage-uai" { +# name = "storage-uai" +# location = var.location +# resource_group_name = var.resource_group_name +# depends_on = [ +# azurerm_resource_group.vault +# ] +# } + +# resource "azurerm_role_assignment" "storage-uai-assignment" { +# role_definition_name = "Contributor" +# scope = azurerm_storage_account.tf_storageaccount.id +# principal_id = azurerm_user_assigned_identity.storage-uai.principal_id +# depends_on = [ +# azurerm_user_assigned_identity.storage-uai +# ] +# } + +############################ + # VM EXTENSION TO AUTOMATICALLY MOUNT FILESHARE +############################ + +resource "azurerm_virtual_machine_extension" "vm-extension" { + name = "mountfileshare" + virtual_machine_id = azurerm_linux_virtual_machine.tf_vm.id + publisher = "Microsoft.Azure.Extensions" + type = "CustomScript" + type_handler_version = "2.0" + + settings = </etc/vault.d/vault.hcl <:8200/v1/sys/metrics?format=prometheus +# see https://www.vaultproject.io/docs/configuration/telemetry +# see https://www.vaultproject.io/docs/configuration/listener/tcp#telemetry-parameters +telemetry { + disable_hostname = true + prometheus_retention_time = "24h" +} + +# enable auto-unseal using the azure key vault. +seal "azurekeyvault" { + client_id = "${client_id}" + client_secret = "${client_secret}" + tenant_id = "${tenant_id}" + vault_name = "${vault_name}" + key_name = "${key_name}" +} +EOF +systemctl enable vault +systemctl restart vault + +cat >/etc/profile.d/vault.sh <<'EOF' +export VAULT_ADDR=http://127.0.0.1:8200 +export VAULT_SKIP_VERIFY=true +EOF + +# TODO why isn't this in $HOME? +cat >/tmp/azure_auth.sh <<'EOF' +#!/bin/bash +set -euxo pipefail + +# for more information see: +# * https://www.vaultproject.io/docs/auth/azure +# * https://www.vaultproject.io/api/auth/azure + +vault auth enable azure + +vault write auth/azure/config \ + tenant_id="${tenant_id}" \ + resource="https://management.azure.com/" \ + client_id="${client_id}" \ + client_secret="${client_secret}" + +vault write auth/azure/role/dev-role \ + policies="default" \ + bound_subscription_ids="${subscription_id}" \ + bound_resource_groups="${resource_group_name}" + +# create a vault login token for the current virtual machine identity (as +# returned by the azure instance metadata service). +# NB use the returned token to login into vault using `vault login`. +# see https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token +# see https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service +vault write auth/azure/login \ + role="dev-role" \ + jwt="$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s | jq -r .access_token)" \ + subscription_id="${subscription_id}" \ + resource_group_name="${resource_group_name}" \ + vm_name="${vm_name}" +EOF +chmod +x /tmp/azure_auth.sh diff --git a/src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars b/src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars new file mode 100644 index 0000000..9d3d3ca --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars @@ -0,0 +1,29 @@ +#------------ +# Required +#------------ + +# Provide your tenant ID (Required) +tenant_id="" + +# Public SSH key (Required) +public_key = "" + +# Azure Client ID (Required) +client_id = "" + +# Azure Client secret (Required) +client_secret = "" + +# Azure account subscription ID (Required) +subscription_id = "" + + +#------------ +# Optional +#------------ + +# To overwrite the default (Optional) +# location="westus" + +# To overwrite the default (Optional) +# environment = "test" diff --git a/src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars.example b/src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars.example new file mode 100644 index 0000000..872e3d4 --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/terraform.tfvars.example @@ -0,0 +1,16 @@ +#------------ +# Required +#------------ + + + + +#------------ +# Optional +#------------ + +# To overwrite the default (Optional) +# location="westus" + +# To overwrite the default (Optional) +# environment = "test" diff --git a/src/final-assessment/IaCSec/Vault-on-VM/tfplan b/src/final-assessment/IaCSec/Vault-on-VM/tfplan new file mode 100644 index 0000000000000000000000000000000000000000..3647598e9f51033d7712550be6602a530028abb7 GIT binary patch literal 17178 zcmaK!bC4#>*00-kPurNbIc?jvZQGuTwnZQHiZ+xybvc9Sx|-wX@@62Q^e)>6+}Nf8tP5HZ5i@Z8hO5_=?ZD<-aE z{qb^@mD>mVLSU7s;%7zUQJT)^EF5_l<%M{zp!oVjCRzvc#sZ^|vr9v1sR@(j9RN7@ z7TX|30xUXx98YZ#d>m4VOl5u9gE9Cjv8ZizEPgw_y*(5VF&|9}4-g21{!jsDp zUn4xafE#rdHJq7H%+*q`cu+3OFDANa9p5B+h`V<1KH+Ky_yNAUm@`Vl2Khz0hFm=i zOuBHj3Pq5`Y%|pGkHWcN_iCy#pF3~|R~Nq@Zo?~WFyPft$PsbZ!-#?2SA+WN6x) z&aQ^9$HiHH41->8`sf6TI4!OfFP3*o1m+q~ehjU9V&J)3z2j3#?WlltgpS|qI9~%K=Q3=zw=IaWSiaZ5 zeY-klV!s&Z(awEG$i}XmQ3{h$e(+XtUWQEjQ%5lq$bs9B{h|LAhRo}RdGoC8p(nn} zWB<4&zV1MLD-^I$VV{FY0X*aU=6?RH~=x;ugKvnzS9JSDwJ) z0p9FGK)Fk~zPy};3B=DBmTzwS2s~_s-{-dawq6iB2+YqCSY&AEFaH)tL(($QS?sT) zFvJb|Ivuvn%3s1?VyqwfcBh6NAcyapSXy~*(c2UZ1TPss{EP%KN{TRuK~z(InFTVU z@KO$U_m3fLr!I?ie9j8WsN5PI4C7HHy@srI$4n3YjOK;Tu#)utoJhFrO@*6c0CH64lRoWEySrl?(G|t{ zbE2kN1+-<{!P+XqsB!dXh3Vl{;;W>ri1G!mHNj`=;loHbnVzqFH$5vIvjqq?9%$oQ z3`P4_>=YU>oQ)fZ5@3L5htoM<^6aQPp&hmKV|HDpX#0lnY=>F^TqP-zOB#oIQ;bG% zKhdyJtHEOhDbkgVyf`KP)>2od=z4^bDT6JuFzlcX;g92={l`<>@hLArbtSk4WYj!Q zl`heTjWmo{Sl!a!j{v^aqczTFrr^Ey3_Kjn8N(6dh|hao!ngNR-=N~bgDD{LzEd-^ zk0>8JP8G6i7HW8)Et)+{!JlSPQZT!RZbu#;F87Dt6Th>r?sjUB<+8Nqt{~d4Yj<`c zx_pcnx~O8^1{>L9`F>fHQ~TnyF%gq(dleo$=eX3CTIKwq z2%SEin{$cpYopUwpnbGA+AaL5_a@|zY6n0^58~Zs3p1iGK)^<;s`|rz%O>^oEwc+| zefhmn^5F8dW%KWM0bl^?G~jOyd=|E{ls}+9g5v0Pe?(H*SRp{5OX3_; z8mE0_%KVuQ#u)|yVsy%$=D*`|Fo6Glc{)i7OOP=8rOA+w9gfvGUk8r~(~>eOv-0EA zWI353y9Q>+ijb@#^-S3VmxT)OY%OA23&5-;(Uc;!HI#4++2?%lpe zmHV}3H##IsUFsAbt$sK|E{J8Ui;~E9R?!$tfm%0~+ccW=TBQo2r7_bFg8CS#M#WQl zXe^hiER`onlI-?Q;4Rz%^>#Vu&@-GcNt$epP?9zxXFpGqHHVc3bZD&|0&wisguT(N zHA*L^rtCWd6jz( zcU3n);TTw`Dg&fkP1v`OT)X=an}8tor`zWsA=w$QSS8N^_QMKhtz`Y3iNJnCFJjC^ zE`Goqc!XS-wc4kf$-fQ4%u8LvGxQrd(tNV3;QZ|ogg z*H-N=iAciborg~;5AM{hi|L9{>IBrRAW*~9xj7)9h00QJs1Ci2Y7wOI=$3oira^yV zo#unU;5?W6L#85ovRZ=+6Vz5n*2_#3;rBo+u%!YepXP7Wak|HAY%U49|ty2&^`* z70y0%o1P5kM^3ZZL=ifN8@~3raCVB@F;hz5mW&6^?)Lv2^|b)f-z-?xch6>V1Zqhh z;b7v+=tL!}AJVEX1kyw$I^*U$3+*40g7qd)4Dd`24HdPy$?`V$fV!TH=h7NUlc8A3 zeE;~8_%cr9?<4)a0Gi-^kAL$=0+1glLW^F{vHwfNMM@OI9@q-W-O=yCMWdu0gZ-lQqUryRFWkprZbDjb}gCV7 z?ldn=JDv2y?l8#rt`GHX4K&xSJ?QsYzH|AlD6#i0pL*g?J02!3Ec46Z+Qwo2^bFIM zr!6nH`er9CTz1HkC7svHWRKQ(j)Y3#TiVY2_gjfBG$9xMDnH((K#;I0y*3@rhdwQx zk%X8uazJ%C=aL~2C1pOvgUAKUTB`;SC0A5T?tnt5VsScS^O8zTmPaYrmfr|gS74qtGv15Nur-^JQY~>N*ceflU9;C`Ab+ekgSyDc( z<(2LV@TvBJG;(4}Fz=`I7X)zY0cueS+}N?DFE+zD6MYoSK$jGUDbyY`O2I=b%qvTK zxG+#!VoE%^%r3XyChl1$KHeU$#)@@5N-27?PcPRqy~u@D3J8-Kbl1$c0YRYgN%K1a zISVnmi+L9SNphEAOFMd!O&154$(t#7S)Qg8-NXyb2CmsiQ8U;}mC^5x{UpI$sid-D z0fU%u0BNmsNfjPPPn#6ESE1@Y8ch5AA zH8why3V&*$mZtJOmAvO?A^|55gcD~kEF`3CUSF~T4@pa#a2HIb%fWQdR~g|m`a_tk zCVW+)H@@~lhmZ`S;Fa`I5OFI?3I=gpEib3QhC*G(sPa0gO4$v<8#1(|S-AURH6`dT za~s8Q=IYZFklh007CuXhme^2~o&qZGL^3QJ0D52`)5XXiq6`Qp@S!0w55UkC({Mz{ zvXvJa!bmdYmD)MGE-X^8X$P$+CL#*^jWOULFhM~~< zk`*pxpK{wM0E6rDRjDIAPQ?|j^ewRrNr6hC2)ggRA3n(|swX0?kFBX05l~RjLB1PS zbihzA!eHB9YPkirTqaufD+lr_J(njBL`*SnP~V2~0J(D@R7oIVF&*r#3>xJ|R3<>a zY3MlIaW_oaxd?lm<>d7R#voQSL)L>Rg({4&*ee{LKUCBg!M5Idc0UMDR1BB(o2ou+ z`vIi!KyE)q|1k8Fr3jkK2{9d{A^>QaJGKnL+_n{AdRJl`xxKuuPLv(0KGQ z>~BRzg0)~eD~RIl9!fDxL12|Rm3AemUIfFgIU$btTUy@`h#WXj%-yoe10;Oxw{6p0 z*!QdPfRl>2lG|3Zrd0G}%K)}k?WIe`L(m{5onBJ6IXxgEy+09%7a8oLr&5ltD>|2# zk&2KiZV=ZJn&0RHf)3GidfEv!2XE@qtlip`VFZ%3T9taycH2(*o=acOUEe!SHy3P zz3tE7m_0U|OR1;rKZ+Jk%me{?5$_!!100FN3=d|adP~?|?AyY7 z)sDD#AL*Eedr&RGF^r$0A08SMSb3;G?y5_t7^LnfN1nVnzpsgqpITfJ1eEs&s?tpJ zNv>E4N6PleH9)+@Ox~KwfM|&)4f1DRP~1$uA&Y<%K0KhFr9e~y0B_Ii)ch}yCn!8~ znPSD)klB|`ef3Wsa?ZWmMUQ^;qj-H-r>5J z8({T(XB6D@&i+I{TxQfruNd{Rh=5h&9h=sH)^dOHG=~Qr zCs1Ia?K_}eVrPkct5pc!w#6DGySjp2vtk!VPejeLGD}bm7s=V}sE#&$-lh@jpR%b( z8|=fdxbSmf%Nyz1q94DBg)sA^hcN?51~D@pk?HVhmrDP@imLNjsCaLGGVYf87&84ogcAa?7*#%dKrY4_OjVE{(x2>m=(6bN(^W zll1`NRox0cB_kbKE*R^i1#_K*wOgjdr|CdHCo$a%0`_jn%zPpqn6s_T_Db>8Fu|Hk z)+)TuoFXU}GVdp}@;kad=R?Ef1#i>xmedEC%$&#?EU&9!M_Pc`OlbD zvz7C{5(OT*r3&~RZA{O5L7hZb-q~ea;8y`bvSzVLDhk6avx~s!a{Hp_yu}Lyyi}R>%$aN{A?uv=31(R3{8X3@;%#(Kxf}Ya+84E$Jx8naz)KjQEqYW$9Zy;u_-H*5HYpg(p`#nE&OK`CQ?C~_f7P)Qb=St^ z7%Wx#kSVzzW7DqlN9{4n@;7$-$@)V-b@^+C1C0K*x$eMh4GBHu`8VPw#mVQ zf51z{UI8#eR)2y;!&${PyufCj&)?yAdaNit6~aAeZkjU?*@CZHul{?m^#pMrKpy^T z$b?|2`|DSJm=Im{*{H-VK8IT2IEzIfH_+BQH7JTC+s#JIa!FZ3^>n>yd(oL)>p2;w zGDOi_buRB>lsiOF%1`qYkJFX>yG*kw^%x1^5U7(h1_8LVg|Tp?VPfx)?AD#5z0S=1)+2y0mJjcs_W zMNpD*$C9>gOd5WroY&W`H>(0y&oNrrLSbTTbVZD+l)p^DXy*w-*K}nybWqUzc+l2C zedTaBv)T`Nd8Jl5Ix=|_>g*iPj$@Jd^#Ld*@7~olLAB*Gz3|PvcFDJSl~+v|3wPbs zXq6!=ax)G0^EGm2^u5jE$EDy$#*y(fnK$&nS*Dje-PW<)LfRH-(#M$0Xs4brzdq!+ zL%d47tUzpy^ru%zo0>3Hnt{E{itN3Q0t9c9n)^cvH&eMf+!!9-W{2;b>Va9g=SPOA zw>07hhWEIwU=iXK`UEwS`Fe52rdQzP9a_RHPzR7)N^I1A<2h9l$=I}1vOR%6-5GW3 z!rCT+NOpi&ZezwAqaxa%Np^IEZX(I3CXfiPlI*B9=D&4z#g?+hC-qq#wBeW!I0P)E zl6ULX=o+w%cAo7QY1;WB8vNXEVa&6@D$%I5x^O=;MlXu#nfGndsbG2Y=`xsqG=u@9 zf<~9!*Tc_y(y_UN9kcjWA+v*dm$e@XM8oF0LvZeF)y!7zr!%R?dFB3@7sdYfWRtXs zGg;OOr6S)dACh=;1tPDtR&5RlwRMrMPSi9t#2?j{22|%I?<;SKU(*IOKFe_YakS<> z{dn=!g;$Re$aTxNHeO_4vn*)4jh3~EtLXFT_`N`+!&&iOSA<6l<>G5bh(SW{idacD~%e)DgFZcBgn>%>8GI)It zDm_uQi&+`=+?6{Z|AFCH9K9XVbB}|B$%q7=2b4K&%aoGWcrSp?;b*_8hUigWN|Ot# z^EDvVF`?vV7g*WwZ_pa7CZZcz#FjaUPPJgmoBopZ9sbAV3WjQ{;i>V7_L-o^?&+{d zm}7aeDAh>V%$ZW)$lm&7 zZls9|i>~tX9)A<ZmgD#vsns)U`LOd#3oSs{A6ZWz&z2Mc{S zlLKrS7T4iSqIJm5juup95V~o<^fwnq?-P*DP}xq~51jo6^G|hGpT2>OCX!jgCIQ-uY|DSUg`=#bxGXp0N= zfGkwR?L;7!ToX#erFp*tU-6w!Z?s5oas;#J7-c(^C8E%iJ8RN;^P!~ZhtLV6$TL}% z58-(I6p=mVtddB0XMSfX=UhAUp+(aB#P`?JB*8?V=e-wny3CQtCZ0j*WCxCAizmZk z{QU;*0CGh2_7U!2@jDiw)wT`}!nzt+&r4#h$+7S$G9V~pO2v?lT-+}R{sjrRFYaO; ztCj!=mfV}|ya(l2_FGq_9g2$w`phM5O;|aJp@h9m4~GBQC=w+kmyCV0IW*Sn7$ozC zz=%&?b=4<0Wp5~ z!2}w3CFfkWlWU9O5un~~qevF*3>b*Ep=OvIP6+n0<1Bqo_zL+pD$bKInWpgV@R2-C z2bOdo7?Sq$sI$;=pp>{P+f(|*5}a@Rqj7cz%_B~REKAl|aeJjjYt(p(J)UcnG%+JL zx?{A^Obf7S=Pk3v&giV?b>D_uN0xi(=FrYM>-JjYiT<#@0`fS1RJs7`kHZut{KrYW zE_Y5vsswo&38oMiYJze+@+BMMs?-?B>i*nlQ37e6$-aY`5p`_I|+O%W|xH|}Y*nL2aMpNXAOc6cO zeV^#t>a}omB5*vB=PVU(1u^UPkSqzxv=3CpT7}!;brqJaKlVUhqyPY4U$PS55YHHY zkg_oW0H|aD0A&Abatr+bCbt|M^&E}Pe4PAyl9vdw|+G(#)2 zU*0ARTSg5MhP|RlCjOJWNP7CKGiH}K%F?B2P2T}Rax!h`4}nSM5_%{ zqQ6qBcL&FH-P^$*aWaFF)o5>?066_+Oz~C~`FHaz$%+L+3rmrjtL0VnGE5@{S*G~z z4d|g$FzpB4S%2mEFxY&nUM(`6*X&klr=J7`gTE6g_*NAAmV}R^Sc+z`uenbr6Mamj~dVWl}&XU z6CxG}@xcGXh?_6Z^cRfR@CrmbHwJiLeeuPm7G6qF$}2LaWh3)IburO3EYUWysQHe*fZA*eY8dQ}JGi=BdH>B%UnA=0JfErO zkAYSnx3+ihpG^si4?Lr^8*O`C6Aj?p1D%M%hDh=n1(ASOxH&vZflf;NQYtYl>bM@X zZ6WA_uHF9FfRK!W{KGT9=OAW&+tES`3kcVC7L_aWXXGX>l$xKDmzClk_R|Lp<7t43 zQy7Y~E$NQme3qLUENQC;&;*$s$(ySxWt~4DU+>MU0iKu0eF=G)!?Kyewtp4kK4f2I z`$2DHu9(^}5erECNzyedBQ7#u^Mhl*k13;NEef$7B2*N|qT#Kfd9+!Jf>SS<4f zAw3Lz^Xbvkd>V?`YlhBob+W+yrB((IUx|>osZ9Y*DMfv~co#yu5r$L>E~Olq;B_W# zJ>*f*6yka#uL(T*TRK#Gc(sUDCVQyRV|m5xD`NMI!AQRTb$}u%W>W>feSG6>%&Bep6Jsrxg-=tUJC-2nSn3{f|20ij!z+z&t@ zH;{CX%@|!C&f_PYkNgv-%PWhqx{U-M_qe(l&1o3(xF*v!d+F`nY>Vvzy84^HWeLt(u8P`JYL5SCe`MF0 z=Ei87#Ti&#_C%YbSnXTICUd~7E`*H6MlqjO-JVx1P3eRRFy=MzXuib?H}zYr4nb`= zzs2gt+WDf@()pxtmY0n_Tg4xcyg^nnL6MseWdiFsOnH{uD!Ek^60Viy!pG*DT~oFWp?vyaY{L(4Lq+>B384=)W-j22pB8RnUY$B_l;uZA zR6}G4V2th9c({v}qd{A0H^2O@Br&uuM@-ABtRy}t#4YCub1OzT2Er+-p~ zVT-ea%bU5CYC8v^2Nw7F&jYVZaIOc;pE+QRigIuIpx7FQ!A`UFE>B-N(4nQS_z0|DM ziCf5i#cZCv^US|#>8~xGJhu+1cnamo_PyjgQ$mAsoMC z+88@#%FrqP-jua>0`b9y6H;f1(7)n=XvE5rO2z6@g%B1z_O=$9Fk@_)XX(2q7PxEa z>BEZc({dKY&d5BfN^|vs)gqo`|1xAqV4~)TXHvKA%mBS>X)I#1%jq8E-*)mgaN&sB zKj$(=)^-vV956vvN0tc|uJwMlVmSRrDi0sY6bE*Q5635A;`Es{PX%I$EwVN?;tpac zK5c8Y>E4q6Cz)hG|5Jzb@`VR_&@gmPI2YbSPPjtEYqJ9rMd|*HhQ7#LNPhUN_VGh+ z{m~ASkTyEd!z{wDrw_`A){Z>yuLYS@<)hCjD>dcN9}&NAn}1rh*5P7)RW!c;!KT_T z$VU~WAjTfD=~nK-eff;J3ihtSnx)YI&_IGMjFYK)f7q@1E-3ncaT%hUiE{k6s-?pI zZ>om;e^t%E#@g7-gw~3h)=JOJn#R%iU*fioY38uT^4R7*fWag-q|a}d6w(4o7f?3pbm8+6N3-2gb<(&n<1|1D2)?`RS{m0^FtA0w<-Kz$ zO^%tCL~p!qGkusXvSru@j2;u)pupm;JW;~ScZ@w-XboQydKs}$nC>K!VCg}BWNDJ zikdMP!o*Q-J@f1-ih?^cbDw)AA7~$FQG+RrLSzDRJuh6zYbk zFG@vqO8Ez?*5t9U23jHxL-6&@_~D@upc5zuRJo~s(1g9Jy8e=Kaij2j(8SNnfWH;O zBu_veoAlHm<#q7sQHw`G!4gFeXJBbK)DzKLOqP)P&)J1?q5P08VXD|OqLR(TjOP>V z0sQo83O0ue+06p@9RcKVk&T#TfL~O+be&QcoFdUcSewf;=+!799%*Lls~ce4gM~gb1;ndTEdaUb0#8IRl^)7eFe#D#>OFI%q>g4&Ir_ zym?vCz-?oO?ng+mo|9}cbD%1o3qz3vyhpFW&{9Bs2kDke~@EtXN7$B<~+@!gl zTd;V5StQnM1o!n%;AAmjNzR<9J+o1CsA$fi@pYbX*IeAk zSF|0L13gj1=OwKcop8x^DT^z_5fu%!VF9cA6;tZ$j|=MiU~N2q$(FRvu2O*Gj&?vF z$7Ez?c*e{hJ<5s{0~>)78gqTOQ@}I7gKAA3*{jbEdjZ?=+S|~t zf>(9LC0eX&avQcnH5MA4xmqb<4UZ=behtZ#Wn1fFow2Uj6v-7JZXOP}R5}NDTv%s2 zf*eFNfSX$N_(Lhh{9r(uA{T%R0}eGvK$=e%-Vg*N9{lf+I&?FqNFnk;bc9W z2NG5u^^>7M6JDLe&O6E`NBt@^$Iq(bYqt^NICv~nR~Cvr1R!XNsb57v4GQdm+b|0CGFP|#kspMj zpE8=Me9jsj?ZQqIiE>R@uuAUNNBraM4WGxr6IKzF#HZl;`N!)XtsruA#vp3KemXHe z7u|%8N1uOMSUcI<`~&maWPlF1b636C?Tb#0;Tk?w7^y^G?p0E4h2V3sUg5p6N$<~YEk2{Bp>X0U@)L^=^(`= z3}FcqyPIdt#*mO45$}O~eAixP$A2J6FpB?C6pd5K2x!o7mYAFG#>_1LqyLd_wnTMB z5I(@5k_}uIAsWO##=34as@1JbWH6DhQ7}iDzEh5hRj_vW80me=*D&stao+S8*Ubc=n)Cst<9gRSGkDn zpO!4fNP53&eJHGO@kg;Ypl#5-8#TuV3kM_}#9X8o-SiXW((3D|FPtR$z^JWeWS+4!8ts!s)!PM%d84D* z`yFlj^={AmOQz>ZVbU=6a_D);2XxTq=>Vf^&RD)sR#GftQghZdr0c$j5tC=#^mV}_ zMH;>}8L*&bOchFRs$He(k+@f}8od$e^A&d@n}|vvYT8J>lV34$CwH`m`90O|@v;@9 z5>GQjxi^Tp$U1smWtmz91CiWK5>{Osem~-ul&Z%0OsTAT0AvM?S~<(xkugm*21z|G zXMMx*#DW8Jq`FU^ zTlI}`<_RsJd$(j+4RR#S`dzlLWFIhq+hl}rbUV&8dm4;k9NShj`BW+I` z|MX`!pN9ptoOJR@ifCNWN{b&yloG*6r8g|=V{e1N??+WEj@`PC}1 zRxXD1X~Ef!ouQ-E`wRtkHK<|(zIQj*GcZtfy=Yp&;*^Cp_$>d&qEP5rj3AyxSIcl? z^^B$~&dk~Z*i6f_g8%5LKrG;h+-RWaaYx-Zd>pKa1R(j&_?JCUj|L_*&5L4CAt?eJ zm;YczBFg1r=^Q^rW@LoWo$X9|HL;M~*X*e0q#=WO0a==v#^>#U=`Y+YolabgvAwoS zzVW(ajP76!2ruN!tQpuhNKOk@tKl>UG#W z`}Fm*XG;uQ5qztqf<@gyVw)pWf1A^CyZggE4<7a!{>{U#=fLvI^ms zkRR1!(DrDoIgcp12@^@>{aBI0kuI|YDX7B0u&S&|Q5!i$d30vT2kA!m&G1iZBSL#1 zzeUdyaZi%;GO`@Q!DdCKN3Jgxsi16lsKa*FlzdMl0ttI*sml)aucSLhbw>*cEF)eQ zJ{Q(}=kGk1|Bd?H+TJ17W+c35qaw+ezp)n)`H>da`ugR;*vxU{$Mk*zV{i@7fZho7 zj5AzyHi&Q@>z2l`2>t=KxWny}hzoqLBnOMvZRuUtzd%PU$JH_Gd+7$5_J0E%^nZYk zv!1<~p1!4#!{2EqLP08emF`FT9c5;30T+6ZE)ch^sYkiGQfd9tdH4qqYES5UEOo_W zm&zp2Pc!J}z-iBA#(47TudIkhMZWUjfTUyqyvwR*lzQY{bX)^ zdoX^MOA-!2^dFH|^toS`1)O{==S+?63j5#Dr z!g*9(be-4AHXyyBWL95&nLYVh=7Mo)N@0yEj1UFd<`SR}el~-LB{md>pxOel$0faU z*}9;YA5^suUO&6c#5yIv7F|COO~c3aAafd={Sj;-`jtIfNk6TSX|Uii*Ph}HwVYGw zF%X}S277VDNWVv96VXSZ=`rg3Y%CELv839DmG>^)I2X5_X2o7H+*?Gs>c&%4=Lg() zwOM%YZQDWyPiIb>T3(`=uSBCtQ<{ELD*gu{upB90F{#3}bvQoL^CgwmSSM@=95G( z%p|WI{~v=bp>6f20098Ecwj!!96E6LW@DbY3g)&d>{Y42Pps1 z0~5a==wA(g+pTnkVy(Qa{H&j?7DG6%Cf83I&>;0nRo;J1ii`pa z9P;n0zmEUj=wI|t<7i}WuV-vyZ$)EiV_-pJYGC;<`mayXh}Kz(-Pn2{$4nIgb-XBD zb;8gETCU|vGBPtJb`zG530ZZb*C-TiSz!_a9WjBAA_@J9R0Y&0_I$_7TzHdz&?uYS z+VHx0|9se3?>cUKTXNYN{1_W*_E~X4v%%Hz!is*vpw(_~e1RJmEM%IbL9bb+t> z^wjyVefkvm+WCCg>uWRllDJ*@D9hrCUYfePTj+D)3CG*ybew;4`8w!mYvXz9JA3=i zWmNin**8dp0Y-zq(&+&2N3~Zhk(D@p#(!c)sU#ejMI3eci%eeTDe=T!b9? zz@GyT0ip}xsJ+#TXgHj)VJOKK_WB(ViOfCwuE8y1QM@acDhoi6LS8v33LsDc7^E@5 zw?GRXP?Q_w8va>yPJ4)np~(biurih8kVAra4)ql+aBd^K47<@$sGE!8WwzGY>`N!Eam}( z<4dYWi7Z#)UVP!vb0AwLFdy=+2bsA=My^#o`zWPUkIbbQ9zc5{`&&5^@hnbF8z6#Z zq<&t8I)?!}{MicCu)FJ2j&?24{rp9#yMK>L@&tdU^-IiY??pgT4&4FSc5gefxGN?7 zVUHZhkPq$5*ZZc=M;F*oUy~0C_Pynv4(N~$?mLQk|6Vxlrgz-e^FeY~a7eVz^G1;l z&(||nh0SK?>oYXB{nu^46|m18@UzNeAf}kFc22vSt-4-XeDc-4)q%8b1aL11n_70b zq`b}A!5>S(49qf12edRf_Bnasiqz>p>SxO4#t5z@j#a?Q z664EZGG^V{1qx%D;|%BLd?x~9kCy;`&00!SLEIhd(F#MDAgk)ht3SpsVbfs5z}{D% z!y5RNC;puJuYE?GFKf0wGN@G#@}o4hSvLgKr=D3J!=>!)ku0i_KX)K#qJP3Fb~Zr0cv$9^1GpEmWs{_zS|&!KoHzh?g?oQIAls1XI6vi5z5iD z!&UW2F|BsciI@(Pl5kBa9r%y5X?bFcLc>NimksN3Fe0Ukh6rLxtLh0I9){i}fh|n2 zMCjBam%$)~1SSsLhA6B~V9vTg$sE4t_@Xv1&{EFw;GDfZzacZMOrK)*2~bQcSJ}$0 zNMl=`?JrvTp7@$NI>VAAhr_rhmk43K?Mg{h!Tv((*pOmE^A8_Hxf{)aeh&Q+d2UHI zv)&lOVJA?Dx_cj>np~BJ!*V%D*HMgFMoZO4T{cUiyFO?p<{%BPNqwTym99EV%-GsO zEWNx#jWWc_8(!&2$XpXj|9EcXjBtuCL7@d0=BY;GfO;kryp&iSL`uB8&wU3%H|?s* z+%Ulv1UF33=4yd`s3@!{Z~KT6{kxWuuhg-y!zNr0L;~7*=ya1%rNVL<0wJWFrf9W? zCz!|t)-Q#Z6;OaGRYO_Iw9!>*u2DOz$dQdI3Q3-TyJ(k~1Cn}sXJq;!Bzji&af?4F z#8s`zn?k(Y+6Nn=RKbDYo~7u#Cuc6 z>v{kj&+BpbsA-Eq_e9H9~jiA?q%z2}&Q+eND00kiqie z#OT~%5{|K6U(F%I`V5mTjytqo#=f3j7H{h7&&VhESa2J~uZ&ngttoOI;abZukWlJ8 z;Yoa#VH5&)3$n6a#B4kBg^x~?HD5eb4)~R2p=0nnITs)*kC;ed zfRmGTEDJ1;(}&A6ag{BUUSk(vQ#DHQH613=bx$!BZq^3NvRqJ9 zUsBaJ)GlK@Z4wx8*~Qh<5Q+UsSc^~(o$Pq8ZA#=C^00}d6w-9iT$#R|!?+wmGNRQW z4JwWc%_2^}nYG$Tv%eBoMJp6Ve;D@5ujkg3J=zb_gj_uZH+~(G80rebjQ+TAq1~R7xg)5=D&nI&}-HmsMpr-9NvBXy@2BO6(O1 zM#Vq}X0C_kTCkLyxFUIcw&fjwu&z5L`MY@3N|xJ+*DO*KktM`H8ek!wApA+!x~rBJ zPOBS9ep^yVm!r87qcUlHC;j$<*rQhqvC8Z~S-c^@9h@#4Gx=2A(|Jw%1d30o1Jjbf zbi}rYzE+E(I{Yc#je60T0ju>j+}!y$Z9gwNGd%?Yme_=T0JRF6qDE2#D&M+&A5J7B z0QlLtYS}@U7}^0PfmEL83_Q;0pR=l+@f^&h%J0ZQ4vrz+D~#QRabYq}9BVQoQ!Jzy z;m<7R(|)ZTj?hBgQblO~Sx``EfX1VGczs=WN$hlGxeB1g-Aw2iD$;->Mv{mQ&$|@P z>+Zu>(!&b|=U&!vXGk>9=l+IB*XzKN4bNM5XDn@Jk&pLVkq)Ql=kp;e-uq*~Rp->* zj>+4Y%*B@X=VPcv{P8KnDKp#Ys0T7um9}s43JiTU_Iw;_xE6w);tl)S@|&1lF410Z zgYoEE>TAq7bt%+z0+yc5>!ddKxFDp0$wFg5stQ5w?W%%O zOhG~#s`a_*0wS*n3PUOwXv-YK;h&)meLp!?Z zq(hg)l#CDhVppT_t_4_BeLtluYvHL|;vgt)OrH~IVQ(kD-x8uPjz5RKU`-H?mUN?a z03H!5Lm2g)S@f)C$Ub(8>Mw$(7D^|a$=1VM>4pZ2%I>;`@$cG`K*RKnwaOW$i5Qoe zhsByY>#0-mtp+<$IE9@~x*|&PJxSk8>fhvW`Ui*9w)60reE|^nAOl}hodEAo|DuXA z&jwYPZ`58#|BEUBfqnq|dn<##*Ma@DmBD}7KQ=b_=gogF!T76G?BBNWU0UX7{GWwm z|GfL}sm{O3H2!T_c>lWlKZ`d0>EiE;2!B!0zs-sGFBktkL;6ooe+SOL79IX=+VubF z>3>{;_@}$S)8k*1`fu}O{D-^$fm#3Q?eAFl7jgdEKL5kp|HPmF^!4|_@Sl&&;Tw1V aH>{ME00sN2<-c~p-~a*u7~%cv>i+=$j+CST literal 0 HcmV?d00001 diff --git a/src/final-assessment/IaCSec/Vault-on-VM/variables.tf b/src/final-assessment/IaCSec/Vault-on-VM/variables.tf new file mode 100644 index 0000000..0b2b1a7 --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/variables.tf @@ -0,0 +1,63 @@ +# --------------------------- +# Azure Key Vault +# --------------------------- +variable "tenant_id" { + default = "" +} + +variable "key_name" { + description = "Azure Key Vault key name" + default = "generated-key" +} + +variable "location" { + description = "Azure location where the Key Vault resource to be created" + default = "uksouth" +} + +variable "resource_group_name" { + type = string + default = "vault-vm-rg" +} + + +# --------------------------- +# Virtual Machine +# --------------------------- +variable "public_key" { + default = "" +} + +variable "subscription_id" { + default = "" +} + +variable "client_id" { + default = "" +} + +variable "client_secret" { + default = "" +} + +variable "vm_name" { + default = "vault-vm" +} + +variable "vault_version" { + # NB execute `apt-cache madison vault` to known the available versions. + default = "1.9.4" +} + +variable "azure_sp_key" {} + +variable "credentials" { + description = "Azure Service Provider Credentials" + type = map(string) + default = { + subscription_id = "8eb30f69-69f6-4ff0-99ea-f9edd2274036" + tenant_id = "2a05ac92-2049-4a26-9b34-897763efc8e2" + client_id = "12d6c386-4977-4aea-9b56-902c514c9d14" + } +} + diff --git a/src/final-assessment/IaCSec/Vault-on-VM/versions.tf b/src/final-assessment/IaCSec/Vault-on-VM/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/src/final-assessment/IaCSec/Vault-on-VM/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/src/final-assessment/IaCSec/aws-infrastructure/.terraform.lock.hcl b/src/final-assessment/IaCSec/aws-infrastructure/.terraform.lock.hcl new file mode 100644 index 0000000..e9ce808 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.67.0" + constraints = ">= 3.28.0, >= 3.72.0, >= 3.73.0, ~> 4.44, >= 4.45.0" + hashes = [ + "h1:LfOuBkdYCzQhtiRvVIxdP/KGJODa3cRsKjn8xKCTbVY=", + "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060", + "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6", + "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183", + "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1", + "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29", + "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7", + "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043", + "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362", + "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf", + "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b", + "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c", + "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c", + "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d", + ] +} + +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.3.2" + constraints = ">= 2.0.0" + hashes = [ + "h1:2jb+BfT5T96dXxUD2LQ6MtVHpXErd7ZybmMvdWE2jd4=", + "zh:2487e498736ed90f53de8f66fe2b8c05665b9f8ff1506f751c5ee227c7f457d1", + "zh:3d8627d142942336cf65eea6eb6403692f47e9072ff3fa11c3f774a3b93130b3", + "zh:434b643054aeafb5df28d5529b72acc20c6f5ded24decad73b98657af2b53f4f", + "zh:436aa6c2b07d82aa6a9dd746a3e3a627f72787c27c80552ceda6dc52d01f4b6f", + "zh:458274c5aabe65ef4dbd61d43ce759287788e35a2da004e796373f88edcaa422", + "zh:54bc70fa6fb7da33292ae4d9ceef5398d637c7373e729ed4fce59bd7b8d67372", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:893ba267e18749c1a956b69be569f0d7bc043a49c3a0eb4d0d09a8e8b2ca3136", + "zh:95493b7517bce116f75cdd4c63b7c82a9d0d48ec2ef2f5eb836d262ef96d0aa7", + "zh:9ae21ab393be52e3e84e5cce0ef20e690d21f6c10ade7d9d9d22b39851bfeddc", + "zh:cc3b01ac2472e6d59358d54d5e4945032efbc8008739a6d4946ca1b621a16040", + "zh:f23bfe9758f06a1ec10ea3a81c9deedf3a7b42963568997d84a5153f35c5839a", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.22.0" + constraints = ">= 2.10.0" + hashes = [ + "h1:EBi28mEwbQJXL25oZCMaPrOUvMm6fukV5hUPleKY2w0=", + "zh:1eac662b1f238042b2068401e510f0624efaf51fd6a4dd9c49d710a49d383b61", + "zh:4c35651603493437b0b13e070148a330c034ac62c8967c2de9da6620b26adca4", + "zh:50c0e8654efb46e3a3666c638ca2e0c8aec07f985fbc80f9205bed960386dc9b", + "zh:5f65194ddd6ea7e89b378297d882083a4b84962edb35dd35752f0c7e9d6282a0", + "zh:6fc0c2d65864324edde4db84f528268065df58229fc3ee321626687b0e603637", + "zh:73c58d007aba7f67c0aa9029794e10c2517bec565b7cb57d0f5948ea3f30e407", + "zh:7d6fc9d3c1843baccd2e1fc56317925a2f9df372427d30fcb5052d123adc887a", + "zh:a0ad9eb863b51586ea306c5f2beef74476c96684aed41a3ee99eb4b6d8898d01", + "zh:e218fcfbf4994ff741408a023a9d9eb6c697ce9f63ce5540d3b35226d86c963e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f95625f317795f0e38cc6293dd31c85863f4e225209d07d1e233c50d9295083c", + "zh:f96e0923a632bc430267fe915794972be873887f5e761ed11451d67202e256c8", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.4" + constraints = ">= 3.0.0" + hashes = [ + "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=", + "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", + "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", + "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", + "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", + "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", + "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", + "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", + "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", + "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", + "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", + "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml new file mode 100644 index 0000000..68ecaa5 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: ubuntu-pod +spec: + containers: + - name: ubuntu-container + image: ubuntu:latest + command: ["sleep", "3600"] \ No newline at end of file diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/sarolebinding.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/sarolebinding.yaml new file mode 100644 index 0000000..c0fe0c3 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/sarolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: my-service-account-binding +subjects: +- kind: ServiceAccount + name: my-service-account + namespace: default # Replace with your desired namespace +roleRef: + kind: ClusterRole + name: cluster-admin # Replace with the desired ClusterRole (or create your own) + apiGroup: rbac.authorization.k8s.io + diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/serviceaccount.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/serviceaccount.yaml new file mode 100644 index 0000000..eea07f5 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: my-service-account + namespace: default diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/token b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/token new file mode 100644 index 0000000..fc430cd --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/token @@ -0,0 +1 @@ +eyJhbGciOiJSUzI1NiIsImtpZCI6ImE0YWMyNzZiZTc5ZWQ5ZTA4YjM3ODg2YWNlZGEwNDM5ZGNiMDhjNmIifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY5MTQ5MjMwNSwiaWF0IjoxNjkxNDg4NzA1LCJpc3MiOiJodHRwczovL29pZGMuZWtzLmV1LXdlc3QtMy5hbWF6b25hd3MuY29tL2lkLzI4RjZEQkM1MUNDMTU0QkRENThDRDE1QkIyNjBDNTBDIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudCIsInVpZCI6ImFkNDk3NGVlLTFhZDEtNDFjZi05ODJjLWZmNDBlOGI1YThkYiJ9fSwibmJmIjoxNjkxNDg4NzA1LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteS1zZXJ2aWNlLWFjY291bnQifQ.LoOQTJpw_g80KvVSeUFRqtEYdtiGg69cw07iI1borIQ-KPBYC3y-QBD9iUjIr3Kytc7hSTd-b4OrMQQDpWOdXcxx24LjjNIWssb2Mm3LNnW8c0xi1Cr0wRdOu7gNWkq79L7zDeZdhS8mIQZHR9CQJzCFsIhDuTP1zU_IVbfCj9-UZHstQJ03I5JhYEdWlsje7bpV8wE07wenOxiCJzCrQMtvNDCxl6PUuadSRha6Hn5UhFtZ0O6TP4EsDeVLStf8v_FpMdppGwr3vy9GpOVwnmyXBdl51TIm4YxbKyXhoYNxD9QCbioTpjYTTWTfNPNCTXd1I0bDs7sV3puK3kfArA diff --git a/src/final-assessment/IaCSec/aws-infrastructure/data.tf b/src/final-assessment/IaCSec/aws-infrastructure/data.tf new file mode 100644 index 0000000..660d166 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/data.tf @@ -0,0 +1,3 @@ +data "aws_availability_zones" "avzs" { + all_availability_zones = true +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/aws-infrastructure/eks_module.tf b/src/final-assessment/IaCSec/aws-infrastructure/eks_module.tf new file mode 100644 index 0000000..1b5f2e0 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/eks_module.tf @@ -0,0 +1,67 @@ +#tfsec:ignore:aws-ec2-no-public-egress-sgr +#tfsec:ignore:aws-eks-no-public-cluster-access +#tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr +module "eks" { + source = "registry.terraform.io/terraform-aws-modules/eks/aws" + version = "19.0.4" + + cluster_name = var.eks_cluster_name + + iam_role_name = "${var.eks_cluster_name}-cluster" + iam_role_tags = { + Name = "${var.eks_cluster_name}-cluster" + } + + vpc_id = module.vpc.vpc_id + subnet_ids = [ + module.vpc.public_subnets[0], + module.vpc.public_subnets[1] + ] + + eks_managed_node_groups = { + private-nodes = { + create = true + capacity_type = "ON_DEMAND" + instance_types = ["t3a.medium"] + desired_size = 1 + max_size = 2 + min_size = 1 + iam_role_additional_policies = { + "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + } + } + } + + cluster_endpoint_public_access = true + enable_irsa = false + cluster_enabled_log_types = ["api", "authenticator", "audit", "scheduler", "controllerManager"] + + + # node_security_group_additional_rules = { + # egress_all = { + # description = "Allow egress only inside the vpc and to other AWS IPs" + # protocol = "-1" + # from_port = 0 + # to_port = 65535 + # type = "egress" + # cidr_blocks = [module.vpc.vpc_cidr_block, "16.12.18.0/23", "16.12.20.0/24", "3.5.224.0/22", "52.95.154.0/23", "52.95.156.0/24"] + # } + # # FORSE NON HAI AGGIUNTO LA VIOLATION -> "CRITICAL Security group rule allows egress to multiple public internet addresses" + # } + create_cloudwatch_log_group = false + + + cluster_addons = { + "vpc-cni" = { + addon_version = "v1.12.5-eksbuild.2" + resolve_conflicts = "OVERWRITE" + } + } + + tags = { + LAB = "tesi_manuel" + infra = "terraform" + } +} + + diff --git a/src/final-assessment/IaCSec/aws-infrastructure/main.tf b/src/final-assessment/IaCSec/aws-infrastructure/main.tf new file mode 100644 index 0000000..0781dbf --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/main.tf @@ -0,0 +1,33 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.44" + } + } + backend "s3" { + bucket = "thesis-manuel-terraform-state-sysdig" + key = "terraform/eks-state/tfstate.json" + access_key = var.backend_access_key + secret_key = var.backend_secret_key + region = "eu-west-3" + encrypt = true + } +} + +data "aws_availability_zones" "available" {} + +provider "aws" { + region = var.region + access_key = var.aws_access_key + secret_key = var.aws_secret_key +} + + +# module "vpc_instance" { +# source = "./modules/vpc_module" +# } + +# module "eks_instance" { +# source = "./modules/eks_module" +# } diff --git a/src/final-assessment/IaCSec/aws-infrastructure/rds.tf b/src/final-assessment/IaCSec/aws-infrastructure/rds.tf new file mode 100644 index 0000000..6bfa9ed --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/rds.tf @@ -0,0 +1,116 @@ + +resource "aws_db_instance" "rds_db" { + count = 1 + db_name = "tracking" + allocated_storage = 20 + engine = "postgres" + instance_class = "db.t3.micro" + username = "manuel" + password = var.db_pwd + db_subnet_group_name = module.vpc.database_subnet_group_name + skip_final_snapshot = true //inserito solo per permettere una destroy immediata + vpc_security_group_ids = [aws_security_group.db_plane_sg.id] + + backup_retention_period = 5 + iam_database_authentication_enabled = true + storage_encrypted = true + #tfsec:ignore:aws-rds-enable-deletion-protection + deletion_protection = false //inserito solo per permettere una destroy immediata + performance_insights_enabled = true + performance_insights_kms_key_id = aws_kms_key.rds_performance_insights.arn + performance_insights_retention_period = 7 + multi_az = true + tags = { + LAB = "tesi_manuel" + infra = "terraform" + db_name = "rds_db" + } + +} + +resource "aws_kms_key" "rds_performance_insights" { + enable_key_rotation = true + deletion_window_in_days = 7 + policy = data.aws_iam_policy_document.insight.json +} + +data "aws_iam_policy_document" "insight" { + policy_id = "key-policy-insight" + statement { + sid = "Enable IAM User Permissions" + actions = [ + "kms:*", + ] + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + data.aws_partition.current.partition, + data.aws_caller_identity.current.account_id + ) + ] + } + resources = ["*"] + } + statement { + sid = "Allow viewing RDS Performance Insights" + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey" + ] + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:aws:iam::%s:user/ma.colotti@reply.it", + data.aws_caller_identity.current.account_id + ) + ] + } + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = ["rds.${data.aws_region.current.name}.amazonaws.com"] + } + condition { + test = "ForAnyValue:StringEquals" + variable = "kms:EncryptionContext:aws:pi:service" + values = ["rds"] + } + condition { + test = "ForAnyValue:StringEquals" + variable = "kms:EncryptionContext:service" + values = ["pi"] + } + } +} + +resource "aws_security_group" "db_plane_sg" { + name = "db-plane-sg" + vpc_id = module.vpc.vpc_id + description = "Security group for dbs" + + tags = { + Name = "db-plane-sg" + LAB = "tesi_manuel" + infra = "terraform" + } +} + +resource "aws_security_group_rule" "node_ingress" { + description = "DB ingress rule" + type = "ingress" + security_group_id = aws_security_group.db_plane_sg.id + from_port = 5432 + to_port = 5432 + protocol = "tcp" + source_security_group_id = module.eks.node_security_group_id +} + +output "endpoint" { + value = aws_db_instance.rds_db[0].address +} diff --git a/src/final-assessment/IaCSec/aws-infrastructure/setenv.ps1 b/src/final-assessment/IaCSec/aws-infrastructure/setenv.ps1 new file mode 100644 index 0000000..e69de29 diff --git a/src/final-assessment/IaCSec/aws-infrastructure/sysdig-eks-agent/sysdig-eks-agent.sh b/src/final-assessment/IaCSec/aws-infrastructure/sysdig-eks-agent/sysdig-eks-agent.sh new file mode 100644 index 0000000..70e2aed --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/sysdig-eks-agent/sysdig-eks-agent.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +helm repo add sysdig https://charts.sysdig.com +helm repo update +helm install sysdig-agent --namespace sysdig-agent --create-namespace \ + --set global.sysdig.accessKey=41446d91-a0b9-4930-abbb-e2dc391ca564 \ + --set global.sysdig.region=eu1 \ + --set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \ + --set global.kspm.deploy=true \ + --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \ + --set global.clusterConfig.name=eks-lab-cluster-module \ + sysdig/sysdig-deploy diff --git a/src/final-assessment/IaCSec/aws-infrastructure/variables.tf b/src/final-assessment/IaCSec/aws-infrastructure/variables.tf new file mode 100644 index 0000000..ddeaf7a --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/variables.tf @@ -0,0 +1,45 @@ +variable "aws_access_key" {} +variable "aws_secret_key" {} +variable "backend_access_key" {} +variable "backend_secret_key" {} + +variable "region" { + type = string + default = "eu-west-3" +} + +variable "vpc_name" { + type = string + default = "eks-lab-vpc-module" +} + +variable "eks_cluster_name" { + type = string + default = "eks-lab-cluster-module" +} + +variable "private_subnets_num" { + type = number + default = 1 +} + +variable "public_subnets_num" { + type = number + default = 2 +} + +variable "db_subnets_num" { + type = number + default = 2 +} + + +variable "cidr_block" { + type = string + default = "10.0.0.0/16" +} + +variable "db_pwd" { + type = string + sensitive = true +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/aws-infrastructure/vpc_module.tf b/src/final-assessment/IaCSec/aws-infrastructure/vpc_module.tf new file mode 100644 index 0000000..3b27f55 --- /dev/null +++ b/src/final-assessment/IaCSec/aws-infrastructure/vpc_module.tf @@ -0,0 +1,205 @@ +#tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs + +# public subnet +# internet gateway +# comms between public and private +module "vpc" { + source = "registry.terraform.io/terraform-aws-modules/vpc/aws" + version = "3.18.1" + + cidr = var.cidr_block + azs = data.aws_availability_zones.avzs.names + enable_dns_hostnames = true + + private_subnets = [for i in range(var.private_subnets_num) : cidrsubnet(var.cidr_block, 8, i)] + private_subnet_names = [for i in range(var.private_subnets_num) : "private-subnet-${i}"] + + + public_subnets = [for i in range(var.public_subnets_num) : cidrsubnet(var.cidr_block, 8, i+1)] + public_subnet_names = [for i in range(var.public_subnets_num) : "public-subnet-${i}"] + private_subnet_tags = { + "kubernetes.io/cluster/${var.eks_cluster_name}" = "owned" + } + + database_subnets = [for i in range(var.db_subnets_num) : cidrsubnet(var.cidr_block, 8, var.private_subnets_num + var.public_subnets_num + i)] + database_subnet_names = [for i in range(var.db_subnets_num) : "db-subnet-${i}"] + database_subnet_group_name = "rds-db" + + manage_default_security_group = true + default_security_group_egress = [] + default_security_group_ingress = [] + default_security_group_name = "${var.vpc_name}-default-sg" + // regula e tfsec beccano un falso positivo riguradante il flowlog durante lo scan + + + map_public_ip_on_launch = true + + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + flow_log_cloudwatch_log_group_name_prefix = "/aws/${var.vpc_name}-logz/" + flow_log_cloudwatch_log_group_name_suffix = "test" + flow_log_cloudwatch_log_group_kms_key_id = aws_kms_key.vpc_key.arn + + vpc_tags = { + Name = var.vpc_name + "kubernetes.io/cluster/${var.eks_cluster_name}" = "owned" + } + + tags = { + LAB = "tesi_manuel" + infra = "terraform" + } +} + +resource "aws_kms_key" "vpc_key" { + enable_key_rotation = true + deletion_window_in_days = 7 + policy = data.aws_iam_policy_document.cloudwatch.json +} + +data "aws_caller_identity" "current" {} + +data "aws_partition" "current" {} + +data "aws_region" "current" {} + +data "aws_iam_policy_document" "cloudwatch" { + policy_id = "key-policy-cloudwatch" + statement { + sid = "Enable IAM User Permissions" + actions = [ + "kms:*", + ] + effect = "Allow" + principals { + type = "AWS" + identifiers = [ + format( + "arn:%s:iam::%s:root", + data.aws_partition.current.partition, + data.aws_caller_identity.current.account_id + ) + ] + } + resources = ["*"] + } + statement { + sid = "AllowCloudWatchLogs" + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + effect = "Allow" + principals { + type = "Service" + identifiers = [ + format( + "logs.%s.amazonaws.com", + data.aws_region.current.name + ) + ] + } + resources = ["*"] + } +} + + + +module "vpc_vpc-endpoints" { + source = "registry.terraform.io/terraform-aws-modules/vpc/aws//modules/vpc-endpoints" + version = "3.18.1" + + vpc_id = module.vpc.vpc_id + security_group_ids = [aws_security_group.endpoints.id] + //subnet_ids = module.vpc.public_subnets + + endpoints = { + s3 = { + service = "s3" + route_table_ids = module.vpc.private_route_table_ids + service_type = "Gateway" + tags = { Name = "s3" } + subnet_ids = module.vpc.public_subnets + }, + ec2 = { + service = "ec2" + private_dns_enabled = true + tags = { Name = "ec2" } + subnet_ids = module.vpc.private_subnets + }, + sts = { + service = "sts" + private_dns_enabled = true + tags = { Name = "sts" } + subnet_ids = module.vpc.public_subnets + }, + ecr_api = { + service = "ecr.api" + private_dns_enabled = true + tags = { Name = "ecr_api" } + subnet_ids = module.vpc.public_subnets + }, + ecr_dkr = { + service = "ecr.dkr" + private_dns_enabled = true + tags = { Name = "ecr_dkr" } + subnet_ids = module.vpc.public_subnets + }, + ssmmessages = { + service = "ssmmessages" + private_dns_enabled = true + tags = { Name = "ssmmessages" } + subnet_ids = module.vpc.public_subnets + }, + ec2messages = { + service = "ec2messages" + private_dns_enabled = true + tags = { Name = "ec2messages" } + subnet_ids = module.vpc.public_subnets + }, + ssm = { + service = "ssm" + private_dns_enabled = true + tags = { Name = "ssm" } + subnet_ids = module.vpc.public_subnets + }, + cloudwatch = { + service = "logs" + private_dns_enabled = true + tags = { Name = "logs" } + subnet_ids = module.vpc.public_subnets + } + } + + tags = { + LAB = "tesi_manuel" + infra = "terraform" + } +} + +resource "aws_security_group" "endpoints" { + name = "endpoints-ingress" + vpc_id = module.vpc.vpc_id + description = "Security group for interface endpoints" + + tags = { + Name = "endpoints-ingress" + LAB = "tesi_manuel" + infra = "terraform" + } +} + +resource "aws_security_group_rule" "endpoint-ingress" { + description = "Endpoint ingress rule" + type = "ingress" + security_group_id = aws_security_group.endpoints.id + from_port = 1025 + to_port = 65535 + protocol = -1 + source_security_group_id = module.eks.node_security_group_id +} diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md new file mode 100644 index 0000000..7911864 --- /dev/null +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -0,0 +1,14 @@ +# IaC Security Assessment + +## Components included: +- AWS infrastructure (Terraform) +- Azure Observability (Terraform) +- HCP Vault on VM (Terraform) +- Azure MySQL Database (Terraform) +- Keycloak (Terraform) +- Kubernetes (YAML) + +## Main Vulnerabilities - Checkov +## Main Vulnerabilities - Sysdig App + +## Run time of pipelines \ No newline at end of file diff --git a/src/final-assessment/IaCSec/keycloak_webapp/.terraform.lock.hcl b/src/final-assessment/IaCSec/keycloak_webapp/.terraform.lock.hcl new file mode 100644 index 0000000..8042219 --- /dev/null +++ b/src/final-assessment/IaCSec/keycloak_webapp/.terraform.lock.hcl @@ -0,0 +1,42 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/azure/azapi" { + version = "1.6.0" + constraints = "1.6.0" + hashes = [ + "h1:811BWhYipddBITHXvIIAr20JcKkl27P/Vve8ewyUecw=", + "zh:0784acbac6d911f31176713bcfb5e3a4a8085cff8f55283a37b0d8e784b2ea79", + "zh:3ff0ddb2b0dfff4037eb8da856b0ba7bfb1328004bee638028c17ef28326bfdc", + "zh:5de832e66c2582063c5d29c2c4916deddbcbf7f7c277b60d30e3292f487f7064", + "zh:61f7b11d51508cb3c988cc2d846b8edb88f5461b5a6ff3a6539c6131999c4bf8", + "zh:7c267b474d26dd0f6e1b9674250cc3c66b7e5a31d26cd4f2138154260712d000", + "zh:830aef5fb62085652a151d8a593b6d60ce7e87f2526661840ecd147a5ca13e23", + "zh:885236c0921e6ee20e5c3aa2a82e90fef74873f094a9c27c3ddc688ec5a83e94", + "zh:93feb60ab4781a01a54ef6983781ae76e60908ffeb1037f2702146542b235ddc", + "zh:966cbb563b7aa8180d6f0ac029eb6cc6a4261a6e4dc7d7662f270d99066abcec", + "zh:a1974c3ee0fb9d6b6318985460c21c7bd439eff157f318b74570f725f0a537b1", + "zh:d2a3284c4546804b84913237dbdb31966be733eb5199699df5af25b69e11e012", + "zh:f83a023655e4385a6e4733c724c17eb262fcc06ad2a198ccb879c92ca50dcb2e", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.52.0" + constraints = "3.52.0" + hashes = [ + "h1:atlTwMcGXXF0rKzLNZhKj7djwoKT4b6in+xa2Hz09Y8=", + "zh:0c3029da7454f2fe7058939d95c458d9930842f06430cfcd0713713f3d788216", + "zh:826584f11eaaec7f179e85d9cc4833ec7a1d854ed4883c94317427ddfa7ffd11", + "zh:8fff204176ee1b08d168848d4bd7a051d7fd189688ca8b5f26eb31855ea060a6", + "zh:a170ebe199b93ea1f20357d848dfd0f5e50538236f09939d1a11a61dfbfded0f", + "zh:acea54d715186101f8a7725997578b231e4db50eea0fb9f9868ecd867008e6e6", + "zh:ae0f6a61677282a2f605ca9d0a74a08ae78ae2efeb372a33b9d4c7210fbbfd2c", + "zh:c2c2329f3864e10ee15993c1a48e79bf72d570bb6d08003038a37b73e551dbf9", + "zh:c7a4a117628ff0ad24e9c73f1087e9a02b8eca633b0913ee1687b0b4b5c7f377", + "zh:e1a290e708e7dbbde8747a98680f7a1aace97694a243ba7a11cc5c77e982e9cc", + "zh:e82aa1c5e8ead3087968d7f44b6f644ef3092a0d243b4b575ff8847616e290b3", + "zh:f4d57d3c5f3c7fe064b88151036037b7852be6bcfa661e3f4fe0fda2871006d9", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf b/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf new file mode 100644 index 0000000..d9c446d --- /dev/null +++ b/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf @@ -0,0 +1,55 @@ + +resource "azurerm_service_plan" "keycloak-sp" { + name = "keycloak-sp" + resource_group_name = var.keycloak-resource-group.name + location = var.keycloak-resource-group.location + os_type = "Linux" + sku_name = "F1" + + depends_on = [ azurerm_resource_group.keycloak-resource-group ] +} + +resource "azurerm_linux_web_app" "keycloak-webapp" { + name = "keycloak-iam-webapp" + resource_group_name = var.keycloak-resource-group.name + location = var.keycloak-resource-group.location + service_plan_id = azurerm_service_plan.keycloak-sp.id + + https_only = true + + app_settings = { + "KEYCLOAK_USER" = "admin" + "KEYCLOAK_PASSWORD" = sensitive(var.secrets.admin_password) + "DOCKER_REGISTRY_SERVER_URL" = "https://registry.hub.docker.com/v2/" + "WEBSITE_ENABLE_APP_SERVICE_STORAGE" = true + "FRONTEND_URL" = "https://keycloak-iam-webapp.azurewebsites.net/auth" + } + + site_config { + always_on = false + } + + depends_on = [ azurerm_service_plan.keycloak-sp ] + +} + +output "hostname" { + value = azurerm_linux_web_app.keycloak-webapp.default_hostname +} + +resource "azapi_update_resource" "update_linux_web_app" { + resource_id = azurerm_linux_web_app.keycloak-webapp.id + type = "Microsoft.Web/sites@2022-03-01" + body = jsonencode({ + properties = { + "siteConfig" = { + "linuxFxVersion" = "COMPOSE|${base64encode(file("keycloak_service.yaml"))}" + } + "appSettings" = { + "keycloakFrontendUrl" = join("/", [azurerm_linux_web_app.keycloak-webapp.default_hostname, "auth"]) + } + } + }) + + depends_on = [ azurerm_linux_web_app.keycloak-webapp ] +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/keycloak_webapp/keycloak_service.yaml b/src/final-assessment/IaCSec/keycloak_webapp/keycloak_service.yaml new file mode 100644 index 0000000..3c9987f --- /dev/null +++ b/src/final-assessment/IaCSec/keycloak_webapp/keycloak_service.yaml @@ -0,0 +1,11 @@ +version: '3' + +services: + keycloak: + image: jboss/keycloak:latest + container_name: keycloak + environment: + - PROXY_ADDRESS_FORWARDING=true + volumes: + - ${WEBAPP_STORAGE_HOME}/data:/opt/jboss/keycloak/standalone/data + restart: always \ No newline at end of file diff --git a/src/final-assessment/IaCSec/keycloak_webapp/main.tf b/src/final-assessment/IaCSec/keycloak_webapp/main.tf new file mode 100644 index 0000000..d3c179a --- /dev/null +++ b/src/final-assessment/IaCSec/keycloak_webapp/main.tf @@ -0,0 +1,39 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.52.0" + } + + azapi = { + source = "azure/azapi" + version = "1.6.0" + } + } + + backend "azurerm" { + resource_group_name = "terraform-rg" + storage_account_name = "terraformbackendmanuel" + container_name = "tfstate" + key = "terraform.tfstate_keycloak_app" + } +} + +provider "azapi" { + +} + + +provider "azurerm" { + subscription_id = var.credentials["subscription_id"] + client_id = var.credentials["client_id"] + client_secret = var.azure_sp_key + tenant_id = var.credentials["tenant_id"] + features {} +} + + +resource "azurerm_resource_group" "keycloak-resource-group" { + name = var.keycloak-resource-group.name + location = var.keycloak-resource-group.location +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/keycloak_webapp/variables.tf b/src/final-assessment/IaCSec/keycloak_webapp/variables.tf new file mode 100644 index 0000000..c435f2a --- /dev/null +++ b/src/final-assessment/IaCSec/keycloak_webapp/variables.tf @@ -0,0 +1,33 @@ +variable "azure_sp_key" {} + +variable "credentials" { + description = "Azure Service Provider Credentials" + type = map(string) + default = { + subscription_id = "945fc713-dc5d-4ba6-9b6b-2f1fb2225b19" + tenant_id = "c5179d57-9fa0-4d70-bf82-c3e49fc377d9" + client_id = "8267d52d-29b9-4a06-ac44-1c6743c8b010" + } +} + +# Politecnico Account +# subscription_id: "8eb30f69-69f6-4ff0-99ea-f9edd2274036" +# tenant_id: "2a05ac92-2049-4a26-9b34-897763efc8e2" +# client_id: "12d6c386-4977-4aea-9b56-902c514c9d14" + + +# Reply Account +# subscription id: 945fc713-dc5d-4ba6-9b6b-2f1fb2225b19 +# tenant id: c5179d57-9fa0-4d70-bf82-c3e49fc377d9 +# client id: 8267d52d-29b9-4a06-ac44-1c6743c8b010 + + + +variable "keycloak-resource-group" { + description = "Azure AKS Resource Group Info" + type = map(string) + default = { + name = "keycloak-resource-group" + location = "francecentral" + } +} \ No newline at end of file diff --git a/src/final-assessment/IaCSec/mysql_database/main.tf b/src/final-assessment/IaCSec/mysql_database/main.tf new file mode 100644 index 0000000..e05f0e4 --- /dev/null +++ b/src/final-assessment/IaCSec/mysql_database/main.tf @@ -0,0 +1,36 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.52.0" + } + } + + backend "azurerm" { + resource_group_name = "terraform" + storage_account_name = "terraformstate1603709092" + container_name = "tfstate" + key = "terraform.tfstate_mysql_db" + } +} + + +provider "azurerm" { + subscription_id = var.credentials["subscription_id"] + client_id = var.credentials["client_id"] + client_secret = var.azure_sp_key + tenant_id = var.credentials["tenant_id"] + features {} +} + + +resource "azurerm_resource_group" "mysql_db_resource_group" { + name = var.mysql_db_resource_group.name + location = var.mysql_db_resource_group.location +} + + + + + + diff --git a/src/final-assessment/IaCSec/mysql_database/mysql_database.tf b/src/final-assessment/IaCSec/mysql_database/mysql_database.tf new file mode 100644 index 0000000..83c7ad5 --- /dev/null +++ b/src/final-assessment/IaCSec/mysql_database/mysql_database.tf @@ -0,0 +1,50 @@ +resource "azurerm_virtual_network" "database_virtual_network" { + name = "database_virtual_network" + location = var.mysql_db_resource_group.location + resource_group_name = var.mysql_db_resource_group.name + address_space = ["10.0.0.0/16"] +} + +resource "azurerm_subnet" "database_vn_subnet" { + name = "database_vn_subnet" + resource_group_name = var.mysql_db_resource_group.name + virtual_network_name = var.mysql_db_resource_group.location + address_prefixes = ["10.0.2.0/24"] + service_endpoints = ["Microsoft.Storage"] + delegation { + name = "fs" + service_delegation { + name = "Microsoft.DBforMySQL/flexibleServers" + actions = [ + "Microsoft.Network/virtualNetworks/subnets/join/action", + ] + } + } +} + +resource "azurerm_private_dns_zone" "database_dns_zone" { + name = "databasemysqlmec.com" + resource_group_name = var.mysql_db_resource_group.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "private_dns_zone" { + name = "exampleVnetZone.com" + private_dns_zone_name = azurerm_private_dns_zone.database_dns_zone.name + virtual_network_id = azurerm_virtual_network.database_virtual_network.id + resource_group_name = var.mysql_db_resource_group.name +} + +resource "azurerm_mysql_flexible_server" "mysql_flexible_server" { + name = "databasemysqlmec" + resource_group_name = var.mysql_db_resource_group.name + location = var.mysql_db_resource_group.location + administrator_login = "runcor3" + administrator_password = "testFakePassword." + backup_retention_days = 7 + delegated_subnet_id = azurerm_subnet.database_vn_subnet.id + private_dns_zone_id = azurerm_private_dns_zone.database_dns_zone.id + sku_name = "B_Standard_B1s" + version = "8.0.21" + depends_on = [azurerm_resource_group.mysql_db_resource_group, + azurerm_private_dns_zone_virtual_network_link.private_dns_zone] +} diff --git a/src/final-assessment/IaCSec/mysql_database/variables.tf b/src/final-assessment/IaCSec/mysql_database/variables.tf new file mode 100644 index 0000000..c152184 --- /dev/null +++ b/src/final-assessment/IaCSec/mysql_database/variables.tf @@ -0,0 +1,24 @@ + +variable "azure_sp_key" {} + +variable "credentials" { + description = "Azure Service Provider Credentials" + type = map(string) + default = { + subscription_id = "8eb30f69-69f6-4ff0-99ea-f9edd2274036" + tenant_id = "2a05ac92-2049-4a26-9b34-897763efc8e2" + client_id = "12d6c386-4977-4aea-9b56-902c514c9d14" + } +} + + +variable "mysql_db_resource_group" { + description = "Azure MySQL DB Resource Group Info" + type = map(string) + default = { + name = "mysql-db-resource-group" + location = "UK South" + } +} + + diff --git a/src/final-assessment/resources_list.md b/src/final-assessment/resources_list.md new file mode 100644 index 0000000..bc28f91 --- /dev/null +++ b/src/final-assessment/resources_list.md @@ -0,0 +1,4 @@ +- Keycloak Webapp +- Vault_K8s/Azure_Full_DB_K8s_Vault_Deployment every reflink (Mysql, K8s, Vault-on-VM) +- Observability => Azure => Terraform_Deployment +- Terraform-IaCSec => aws-infrastructure \ No newline at end of file From 18bea2896ad854094d368c25d1b36679236f8b98 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Fri, 1 Sep 2023 15:55:28 +0200 Subject: [PATCH 02/38] modified workflow --- .github/workflows/IaC_Sec_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index 864a734..e574d95 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -32,7 +32,7 @@ jobs: id: pr_status uses: octokit/request-action@v2.x with: - route: GET /repos/RunCor399/Terraform-IaCSec/pulls/${{ github.event.pull_request.number }} + route: GET /repos/RunCor399/Terraform-IaCSec/pulls/${{ github.event.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 67d2276e4d80e810b0d0c45985b782d24d3cd188 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Fri, 1 Sep 2023 15:56:27 +0200 Subject: [PATCH 03/38] modified again --- .github/workflows/IaC_Sec_checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index e574d95..d960185 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -27,6 +27,7 @@ jobs: steps: - uses: actions/checkout@v3 + - name: Check if pull request is opened/reopened id: pr_status From f9b6413a448b64e7b5585483e785de57fb56f222 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Fri, 1 Sep 2023 15:59:28 +0200 Subject: [PATCH 04/38] modified workflow #2 --- .github/workflows/IaC_Sec_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index d960185..16ad835 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -39,7 +39,7 @@ jobs: - name: Checkov GitHub Action uses: bridgecrewio/checkov-action@v12 - if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} + #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} with: output_format: cli,sarif output_file_path: console,results.sarif From abfd4ea25ec86392ad4368cff4578fc322344511 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Fri, 1 Sep 2023 16:16:27 +0200 Subject: [PATCH 05/38] public repo --- .github/workflows/IaC_Sec_checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index 16ad835..cc05869 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -40,6 +40,7 @@ jobs: - name: Checkov GitHub Action uses: bridgecrewio/checkov-action@v12 #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} + with: output_format: cli,sarif output_file_path: console,results.sarif From cdc4bf1765f3c41b30dc7d11d10d2919dfc62bcf Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Fri, 1 Sep 2023 16:28:49 +0200 Subject: [PATCH 06/38] modified workflow --- .github/workflows/IaC_Sec_checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index cc05869..22a29f7 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -40,7 +40,7 @@ jobs: - name: Checkov GitHub Action uses: bridgecrewio/checkov-action@v12 #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} - + with: output_format: cli,sarif output_file_path: console,results.sarif @@ -51,5 +51,5 @@ jobs: if: success() || failure() with: sarif_file: results.sarif - ref: ${{ github.head_ref }} - sha: ${{ github.sha }} + ref: "refs/pull/${{ github.event.pull_request.number }}/merge" + sha: ${{ github.event.pull_request.head.sha }} From 1346517838526596f59290ec877a91b0871c724e Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 14:48:50 +0200 Subject: [PATCH 07/38] Solved several IaC Sec issues --- .gitignore | 2 + .../IaCSec/Azure_Observability/aks.tf | 4 + .../Kubernetes/db_connector_manifest.yml | 1 + .../IaCSec/Kubernetes/kubernetes_manifest.yml | 858 ------------------ .../Kubernetes/kubernetes_manifest_edited.yml | 10 + .../IaCSec/Kubernetes/pod_service_account.yml | 2 + .../IaCSec/Kubernetes/test_pod.yml | 2 + .../IaCSec/Vault-on-VM/main.tf | 10 +- .../cluster-aux-resources/example-pod.yaml | 2 + .../IaCSec/iacsec-assessment.md | 5 + 10 files changed, 37 insertions(+), 859 deletions(-) delete mode 100644 src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml diff --git a/.gitignore b/.gitignore index 972e0fc..4561b91 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,5 @@ override.tf.json *.env **/secrets.tf +**/IaCSec_Resolution/** + diff --git a/src/final-assessment/IaCSec/Azure_Observability/aks.tf b/src/final-assessment/IaCSec/Azure_Observability/aks.tf index 6fde47d..656f728 100644 --- a/src/final-assessment/IaCSec/Azure_Observability/aks.tf +++ b/src/final-assessment/IaCSec/Azure_Observability/aks.tf @@ -5,11 +5,15 @@ resource "azurerm_kubernetes_cluster" "aks_cluster" { location = var.observability_rg.location resource_group_name = var.observability_rg.name sku_tier = "Free" + local_account_disabled = true + api_server_authorized_ip_ranges = "0.0.0.0/0" + private_cluster_enabled = true default_node_pool { name = "default" node_count = 1 vm_size = "standard_d2_v2" + max_pods = 51 } // Add role assignment for azure user diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index 70d1f4c..a4210ce 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -36,6 +36,7 @@ spec: selector: matchLabels: app: db-connector + role: default-deployment template: metadata: labels: diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml deleted file mode 100644 index 26b7549..0000000 --- a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest.yml +++ /dev/null @@ -1,858 +0,0 @@ -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# ---------------------------------------------------------- -# WARNING: This file is autogenerated. Do not manually edit. -# ---------------------------------------------------------- - -# [START gke_release_kubernetes_manifests_microservices_demo] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: emailservice -spec: - selector: - matchLabels: - app: emailservice - template: - metadata: - labels: - app: emailservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/emailservice:v0.6.0 - ports: - - containerPort: 8080 - env: - - name: PORT - value: "8080" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - livenessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: emailservice -spec: - type: ClusterIP - selector: - app: emailservice - ports: - - name: grpc - port: 5000 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: checkoutservice -spec: - selector: - matchLabels: - app: checkoutservice - template: - metadata: - labels: - app: checkoutservice - spec: - serviceAccountName: default - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.6.0 - ports: - - containerPort: 5050 - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:5050"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:5050"] - env: - - name: PORT - value: "5050" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "productcatalogservice:3550" - - name: SHIPPING_SERVICE_ADDR - value: "shippingservice:50051" - - name: PAYMENT_SERVICE_ADDR - value: "paymentservice:50051" - - name: EMAIL_SERVICE_ADDR - value: "emailservice:5000" - - name: CURRENCY_SERVICE_ADDR - value: "currencyservice:7000" - - name: CART_SERVICE_ADDR - value: "cartservice:7070" - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: checkoutservice -spec: - type: ClusterIP - selector: - app: checkoutservice - ports: - - name: grpc - port: 5050 - targetPort: 5050 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: recommendationservice -spec: - selector: - matchLabels: - app: recommendationservice - template: - metadata: - labels: - app: recommendationservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.6.0 - ports: - - containerPort: 8080 - readinessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - livenessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:8080"] - env: - - name: PORT - value: "8080" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "productcatalogservice:3550" - - name: DISABLE_PROFILER - value: "1" - resources: - requests: - cpu: 100m - memory: 220Mi - limits: - cpu: 200m - memory: 450Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: recommendationservice -spec: - type: ClusterIP - selector: - app: recommendationservice - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: frontend -spec: - selector: - matchLabels: - app: frontend - template: - metadata: - labels: - app: frontend - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - spec: - serviceAccountName: default - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/frontend:v0.6.0 - ports: - - containerPort: 8080 - readinessProbe: - initialDelaySeconds: 10 - httpGet: - path: "/_healthz" - port: 8080 - httpHeaders: - - name: "Cookie" - value: "shop_session-id=x-readiness-probe" - livenessProbe: - initialDelaySeconds: 10 - httpGet: - path: "/_healthz" - port: 8080 - httpHeaders: - - name: "Cookie" - value: "shop_session-id=x-liveness-probe" - env: - - name: PORT - value: "8080" - - name: PRODUCT_CATALOG_SERVICE_ADDR - value: "productcatalogservice:3550" - - name: CURRENCY_SERVICE_ADDR - value: "currencyservice:7000" - - name: CART_SERVICE_ADDR - value: "cartservice:7070" - - name: RECOMMENDATION_SERVICE_ADDR - value: "recommendationservice:8080" - - name: SHIPPING_SERVICE_ADDR - value: "shippingservice:50051" - - name: CHECKOUT_SERVICE_ADDR - value: "checkoutservice:5050" - - name: AD_SERVICE_ADDR - value: "adservice:9555" - # # ENV_PLATFORM: One of: local, gcp, aws, azure, onprem, alibaba - # # When not set, defaults to "local" unless running in GKE, otherwies auto-sets to gcp - - name: ENV_PLATFORM - value: "azure" - - name: ENABLE_PROFILER - value: "0" - # - name: CYMBAL_BRANDING - # value: "true" - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: frontend -spec: - type: ClusterIP - selector: - app: frontend - ports: - - name: http - port: 80 - targetPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: frontend-external -spec: - type: LoadBalancer - selector: - app: frontend - ports: - - name: http - port: 80 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: paymentservice -spec: - selector: - matchLabels: - app: paymentservice - template: - metadata: - labels: - app: paymentservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/paymentservice:v0.6.0 - ports: - - containerPort: 50051 - env: - - name: PORT - value: "50051" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: paymentservice -spec: - type: ClusterIP - selector: - app: paymentservice - ports: - - name: grpc - port: 50051 - targetPort: 50051 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: productcatalogservice -spec: - selector: - matchLabels: - app: productcatalogservice - template: - metadata: - labels: - app: productcatalogservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.6.0 - ports: - - containerPort: 3550 - env: - - name: PORT - value: "3550" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:3550"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:3550"] - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: productcatalogservice -spec: - type: ClusterIP - selector: - app: productcatalogservice - ports: - - name: grpc - port: 3550 - targetPort: 3550 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cartservice -spec: - selector: - matchLabels: - app: cartservice - template: - metadata: - labels: - app: cartservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/cartservice:v0.6.0 - ports: - - containerPort: 7070 - env: - - name: REDIS_ADDR - value: "redis-cart:6379" - resources: - requests: - cpu: 200m - memory: 64Mi - limits: - cpu: 300m - memory: 128Mi - readinessProbe: - initialDelaySeconds: 15 - exec: - command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] - livenessProbe: - initialDelaySeconds: 15 - periodSeconds: 10 - exec: - command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] ---- -apiVersion: v1 -kind: Service -metadata: - name: cartservice -spec: - type: ClusterIP - selector: - app: cartservice - ports: - - name: grpc - port: 7070 - targetPort: 7070 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: loadgenerator -spec: - selector: - matchLabels: - app: loadgenerator - replicas: 1 - template: - metadata: - labels: - app: loadgenerator - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - restartPolicy: Always - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - initContainers: - - command: - - /bin/sh - - -exc - - | - echo "Init container pinging frontend: ${FRONTEND_ADDR}..." - STATUSCODE=$(wget --server-response http://${FRONTEND_ADDR} 2>&1 | awk '/^ HTTP/{print $2}') - if test $STATUSCODE -ne 200; then - echo "Error: Could not reach frontend - Status code: ${STATUSCODE}" - exit 1 - fi - name: frontend-check - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: busybox:latest - env: - - name: FRONTEND_ADDR - value: "frontend:80" - containers: - - name: main - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.6.0 - env: - - name: FRONTEND_ADDR - value: "frontend:80" - - name: USERS - value: "10" - resources: - requests: - cpu: 300m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: currencyservice -spec: - selector: - matchLabels: - app: currencyservice - template: - metadata: - labels: - app: currencyservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/currencyservice:v0.6.0 - ports: - - name: grpc - containerPort: 7000 - env: - - name: PORT - value: "7000" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:7000"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:7000"] - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: currencyservice -spec: - type: ClusterIP - selector: - app: currencyservice - ports: - - name: grpc - port: 7000 - targetPort: 7000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: shippingservice -spec: - selector: - matchLabels: - app: shippingservice - template: - metadata: - labels: - app: shippingservice - spec: - serviceAccountName: default - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/shippingservice:v0.6.0 - ports: - - containerPort: 50051 - env: - - name: PORT - value: "50051" - - name: DISABLE_PROFILER - value: "1" - readinessProbe: - periodSeconds: 5 - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - livenessProbe: - exec: - command: ["/bin/grpc_health_probe", "-addr=:50051"] - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: shippingservice -spec: - type: ClusterIP - selector: - app: shippingservice - ports: - - name: grpc - port: 50051 - targetPort: 50051 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-cart -spec: - selector: - matchLabels: - app: redis-cart - template: - metadata: - labels: - app: redis-cart - spec: - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: redis - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: redis:alpine - ports: - - containerPort: 6379 - readinessProbe: - periodSeconds: 5 - tcpSocket: - port: 6379 - livenessProbe: - periodSeconds: 5 - tcpSocket: - port: 6379 - volumeMounts: - - mountPath: /data - name: redis-data - resources: - limits: - memory: 256Mi - cpu: 125m - requests: - cpu: 70m - memory: 200Mi - volumes: - - name: redis-data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: redis-cart -spec: - type: ClusterIP - selector: - app: redis-cart - ports: - - name: tcp-redis - port: 6379 - targetPort: 6379 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: adservice -spec: - selector: - matchLabels: - app: adservice - template: - metadata: - labels: - app: adservice - spec: - serviceAccountName: default - terminationGracePeriodSeconds: 5 - securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - image: gcr.io/google-samples/microservices-demo/adservice:v0.6.0 - ports: - - containerPort: 9555 - env: - - name: PORT - value: "9555" - resources: - requests: - cpu: 200m - memory: 180Mi - limits: - cpu: 300m - memory: 300Mi - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 15 - exec: - command: ["/bin/grpc_health_probe", "-addr=:9555"] - livenessProbe: - initialDelaySeconds: 20 - periodSeconds: 15 - exec: - command: ["/bin/grpc_health_probe", "-addr=:9555"] ---- -apiVersion: v1 -kind: Service -metadata: - name: adservice -spec: - type: ClusterIP - selector: - app: adservice - ports: - - name: grpc - port: 9555 - targetPort: 9555 -# [END gke_release_kubernetes_manifests_microservices_demo] diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml index 26b7549..607176d 100644 --- a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml @@ -30,6 +30,7 @@ spec: metadata: labels: app: emailservice + role: mail-service spec: serviceAccountName: default terminationGracePeriodSeconds: 5 @@ -233,6 +234,7 @@ spec: selector: matchLabels: app: frontend + role: default-deployment template: metadata: labels: @@ -341,6 +343,7 @@ spec: selector: matchLabels: app: paymentservice + role: default-deployment template: metadata: labels: @@ -409,6 +412,7 @@ spec: metadata: labels: app: productcatalogservice + role: default-deployment spec: serviceAccountName: default terminationGracePeriodSeconds: 5 @@ -469,6 +473,7 @@ spec: selector: matchLabels: app: cartservice + role: default-deployment template: metadata: labels: @@ -534,6 +539,7 @@ spec: selector: matchLabels: app: loadgenerator + role: default-deployment replicas: 1 template: metadata: @@ -604,6 +610,7 @@ spec: selector: matchLabels: app: currencyservice + role: default-deployment template: metadata: labels: @@ -669,6 +676,7 @@ spec: selector: matchLabels: app: shippingservice + role: default-deployment template: metadata: labels: @@ -733,6 +741,7 @@ spec: selector: matchLabels: app: redis-cart + role: default-deployment template: metadata: labels: @@ -798,6 +807,7 @@ spec: selector: matchLabels: app: adservice + role: default-deployment template: metadata: labels: diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index c1d13c1..e49d314 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -2,6 +2,8 @@ apiVersion: v1 kind: Pod metadata: name: sa-pod + labels: + role: example-pod spec: serviceAccountName: vault-service-account containers: diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 94e8231..189dae3 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -2,6 +2,8 @@ apiVersion: v1 kind: Pod metadata: name: ubuntu-curl-pod + labels: + role: example-pod spec: containers: - name: ubuntu diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf index 87be94d..57fbf3f 100644 --- a/src/final-assessment/IaCSec/Vault-on-VM/main.tf +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -129,9 +129,17 @@ resource "azurerm_key_vault" "vault" { } # TODO does this really need to be so broad? can it be limited to the vault vm? + # network_acls { + # default_action = "Allow" + # bypass = "AzureServices" + # } + network_acls { - default_action = "Allow" + default_action = "Deny" bypass = "AzureServices" + virtual_network_subnet_ids = [ + azurerm_subnet.tf_subnet.id + ] } } diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index 68ecaa5..daa2a5d 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -2,6 +2,8 @@ apiVersion: v1 kind: Pod metadata: name: ubuntu-pod + labels: + role: example-pod spec: containers: - name: ubuntu-container diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 7911864..2bdde1c 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -9,6 +9,11 @@ - Kubernetes (YAML) ## Main Vulnerabilities - Checkov +- Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. CKV_AZURE_168 (max_pods parameter in aks node_pool) +- Ensure AKS local admin account is disabled. CKV_AZURE_141 (local_account_disabled = true in aks) +- Ensure AKS API server defines authorized IP ranges. CKV_AZURE_6 (api_server_authorized_ip_ranges = "0.0.0.0/0") +- Ensure AKS enables private clusters. CKV_AZURE_115 (private_cluster_enabled = true) +- Ensure that Azure Key Vault disables public network access. CKV_AZURE_189 (network_acls in Vault-On-VM Azure Key Vault) ## Main Vulnerabilities - Sysdig App ## Run time of pipelines \ No newline at end of file From 77655549944452ed855f4c179bfa1e2a65bdb5a0 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 14:49:11 +0200 Subject: [PATCH 08/38] modified assessment --- src/final-assessment/IaCSec/iacsec-assessment.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 2bdde1c..1b6b8cb 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -1,4 +1,5 @@ # IaC Security Assessment +Total (Checkov) = 341 ## Components included: - AWS infrastructure (Terraform) From c50f4518c6ffea564bc4c3c6a2a94fb2865bf930 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 14:51:41 +0200 Subject: [PATCH 09/38] modified workflow --- .github/workflows/IaC_Sec_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index 22a29f7..ce2cf9e 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -6,7 +6,7 @@ on: pull_request: types: [opened, reopened] - push: + #push: branches: - 'final-assessment' paths: From c519526213873d5659b52702c3705a06d1064daa Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 15:00:21 +0200 Subject: [PATCH 10/38] modified workflow again --- .github/workflows/IaC_Sec_checks.yml | 6 +----- src/final-assessment/IaCSec/iacsec-assessment.md | 4 ++++ 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index ce2cf9e..aed93ed 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -6,11 +6,7 @@ on: pull_request: types: [opened, reopened] - #push: - branches: - - 'final-assessment' - paths: - - 'src/final-assessment/**' + diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 1b6b8cb..7fffb11 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -15,6 +15,10 @@ Total (Checkov) = 341 - Ensure AKS API server defines authorized IP ranges. CKV_AZURE_6 (api_server_authorized_ip_ranges = "0.0.0.0/0") - Ensure AKS enables private clusters. CKV_AZURE_115 (private_cluster_enabled = true) - Ensure that Azure Key Vault disables public network access. CKV_AZURE_189 (network_acls in Vault-On-VM Azure Key Vault) +- ## Main Vulnerabilities - Sysdig App +- 5 High +- 37 Medium +- 37 Low ## Run time of pipelines \ No newline at end of file From ad34fc1da65ffee956da24898b8f2c7967fd2e30 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 15:10:04 +0200 Subject: [PATCH 11/38] No public access from keyvault --- src/final-assessment/IaCSec/Vault-on-VM/main.tf | 1 + src/final-assessment/IaCSec/iacsec-assessment.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf index 57fbf3f..76ae296 100644 --- a/src/final-assessment/IaCSec/Vault-on-VM/main.tf +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -100,6 +100,7 @@ resource "azurerm_key_vault" "vault" { location = azurerm_resource_group.vault.location resource_group_name = azurerm_resource_group.vault.name tenant_id = var.tenant_id + public_network_access_enabled = false # enable virtual machines to access this key vault. # NB this identity is used in the example /tmp/azure_auth.sh file. diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 7fffb11..79f75b6 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -14,7 +14,7 @@ Total (Checkov) = 341 - Ensure AKS local admin account is disabled. CKV_AZURE_141 (local_account_disabled = true in aks) - Ensure AKS API server defines authorized IP ranges. CKV_AZURE_6 (api_server_authorized_ip_ranges = "0.0.0.0/0") - Ensure AKS enables private clusters. CKV_AZURE_115 (private_cluster_enabled = true) -- Ensure that Azure Key Vault disables public network access. CKV_AZURE_189 (network_acls in Vault-On-VM Azure Key Vault) +- Ensure that Azure Key Vault disables public network access. CKV_AZURE_189 (network_acls in Vault-On-VM Azure Key Vault, public_network_access_enabled = false) - ## Main Vulnerabilities - Sysdig App - 5 High From f22fed2af34208d3aa5663d0435e739a0133f153 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 15:17:25 +0200 Subject: [PATCH 12/38] workflow now triggers on several pr events --- .github/workflows/IaC_Sec_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index aed93ed..9c87089 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -4,7 +4,7 @@ permissions: read-all on: pull_request: - types: [opened, reopened] + types: [opened, reopened, synchronize, edited] From d1ed439de5a68bfc8b3e80181ff3f2c44a0ac40c Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 15:36:18 +0200 Subject: [PATCH 13/38] Solved CKV_AZURE 110 42 112 40 10 190 --- .../IaCSec/Vault-on-VM/main.tf | 28 +++++++++++-------- .../IaCSec/iacsec-assessment.md | 7 ++++- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf index 76ae296..f051ae3 100644 --- a/src/final-assessment/IaCSec/Vault-on-VM/main.tf +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -101,6 +101,8 @@ resource "azurerm_key_vault" "vault" { resource_group_name = azurerm_resource_group.vault.name tenant_id = var.tenant_id public_network_access_enabled = false + purge_protection_enabled = true + soft_delete_retention_days = 7 # enable virtual machines to access this key vault. # NB this identity is used in the example /tmp/azure_auth.sh file. @@ -149,8 +151,9 @@ resource "azurerm_key_vault" "vault" { resource "azurerm_key_vault_key" "generated" { name = var.key_name key_vault_id = azurerm_key_vault.vault.id - key_type = "RSA" + key_type = "RSA-HSM" key_size = 2048 + expiration_date = "2030-12-30T20:00:00Z" key_opts = [ "decrypt", @@ -195,17 +198,17 @@ resource "azurerm_network_security_group" "tf_nsg" { location = var.location resource_group_name = azurerm_resource_group.vault.name - security_rule { - name = "SSH" - priority = 1001 - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = "*" - } + # security_rule { + # name = "SSH" + # priority = 1001 + # direction = "Inbound" + # access = "Allow" + # protocol = "Tcp" + # source_port_range = "*" + # destination_port_range = "22" + # source_address_prefix = "*" + # destination_address_prefix = "*" + # } security_rule { name = "Vault" @@ -269,6 +272,7 @@ resource "azurerm_storage_account" "tf_storageaccount" { location = var.location account_tier = "Standard" account_replication_type = "LRS" + public_network_access_enabled = false } resource "azurerm_storage_share" "vault" { diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 79f75b6..1bcf5a8 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -15,7 +15,12 @@ Total (Checkov) = 341 - Ensure AKS API server defines authorized IP ranges. CKV_AZURE_6 (api_server_authorized_ip_ranges = "0.0.0.0/0") - Ensure AKS enables private clusters. CKV_AZURE_115 (private_cluster_enabled = true) - Ensure that Azure Key Vault disables public network access. CKV_AZURE_189 (network_acls in Vault-On-VM Azure Key Vault, public_network_access_enabled = false) -- +- Ensure that key vault enables purge protection. CKV_AZURE_110 (purge_protection_enabled = true) +- Ensure the key vault is recoverable CKV_AZURE_42 (soft_delete_retention_days = 7) +- Ensure that key vault key is backed by HSM CKV_AZURE_112 (key_type = "RSA-HSM") +- Ensure all keys have an expiration date. CKV_AZURE_40 (expiration_date = "2020-12-30T20:00:00Z") +- Ensure that SSH access is restricted from the internet CKV_AZURE_10 (commented Inbound SSH rule in Netwok Security Group (main.tf of Vault)) +- Ensure that Storage blobs restrict public access CKV_AZURE_190 (public_network_access_enabled = false) ## Main Vulnerabilities - Sysdig App - 5 High - 37 Medium From 30ac0405740ceac1abb29fca37794ff6660e4575 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 15:42:05 +0200 Subject: [PATCH 14/38] CKV_AZURE_190 resolution --- src/final-assessment/IaCSec/Vault-on-VM/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf index f051ae3..ec1d3ae 100644 --- a/src/final-assessment/IaCSec/Vault-on-VM/main.tf +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -273,6 +273,12 @@ resource "azurerm_storage_account" "tf_storageaccount" { account_tier = "Standard" account_replication_type = "LRS" public_network_access_enabled = false + + network_rules { + default_action = "Deny" + bypass = "AzureServices" + ip_rules = "0.0.0.0/0" + } } resource "azurerm_storage_share" "vault" { From d3f89baa9941c3503b028bd8b0aabee4757a862c Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 15:46:03 +0200 Subject: [PATCH 15/38] CKV_AZURE_190 resolution #2 --- src/final-assessment/IaCSec/Vault-on-VM/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf index ec1d3ae..b753e6e 100644 --- a/src/final-assessment/IaCSec/Vault-on-VM/main.tf +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -273,6 +273,7 @@ resource "azurerm_storage_account" "tf_storageaccount" { account_tier = "Standard" account_replication_type = "LRS" public_network_access_enabled = false + allow_nested_items_to_be_public = false network_rules { default_action = "Deny" From b6676186e96ac731593e9f650dd33e8109d19a55 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 16:09:08 +0200 Subject: [PATCH 16/38] Solved CKV_AWS_293 --- src/final-assessment/IaCSec/aws-infrastructure/rds.tf | 2 +- src/final-assessment/IaCSec/iacsec-assessment.md | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/final-assessment/IaCSec/aws-infrastructure/rds.tf b/src/final-assessment/IaCSec/aws-infrastructure/rds.tf index 6bfa9ed..6054c94 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/rds.tf +++ b/src/final-assessment/IaCSec/aws-infrastructure/rds.tf @@ -10,12 +10,12 @@ resource "aws_db_instance" "rds_db" { db_subnet_group_name = module.vpc.database_subnet_group_name skip_final_snapshot = true //inserito solo per permettere una destroy immediata vpc_security_group_ids = [aws_security_group.db_plane_sg.id] + deletion_protection = true backup_retention_period = 5 iam_database_authentication_enabled = true storage_encrypted = true #tfsec:ignore:aws-rds-enable-deletion-protection - deletion_protection = false //inserito solo per permettere una destroy immediata performance_insights_enabled = true performance_insights_kms_key_id = aws_kms_key.rds_performance_insights.arn performance_insights_retention_period = 7 diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 1bcf5a8..10c420f 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -21,6 +21,10 @@ Total (Checkov) = 341 - Ensure all keys have an expiration date. CKV_AZURE_40 (expiration_date = "2020-12-30T20:00:00Z") - Ensure that SSH access is restricted from the internet CKV_AZURE_10 (commented Inbound SSH rule in Netwok Security Group (main.tf of Vault)) - Ensure that Storage blobs restrict public access CKV_AZURE_190 (public_network_access_enabled = false) +- Ensure that AWS database instances have deletion protection enabled CKV_AWS_293 (deletion_protection = true) + + + ## Main Vulnerabilities - Sysdig App - 5 High - 37 Medium From 9cb4419e0bd13ecd9a976c6ae97675611faa61ab Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Mon, 4 Sep 2023 16:19:51 +0200 Subject: [PATCH 17/38] assessment modified --- src/final-assessment/IaCSec/iacsec-assessment.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 10c420f..30377b7 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -25,6 +25,10 @@ Total (Checkov) = 341 +Search filter: pr:38 tool:checkov is:open sort:created-desc path:/src/final-assessment + + + ## Main Vulnerabilities - Sysdig App - 5 High - 37 Medium From 98101894f98831ccea24690ba270af075f6ef696 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 11:50:54 +0200 Subject: [PATCH 18/38] Network policy for K8s pods --- .gitignore | 2 +- .../NetworkPolicy_CKV2_K8S_6.yaml | 83 +++++++++++++++++++ 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 src/final-assessment/IaCSec_Resolution/NetworkPolicy_CKV2_K8S_6.yaml diff --git a/.gitignore b/.gitignore index 4561b91..0edf9ff 100644 --- a/.gitignore +++ b/.gitignore @@ -33,5 +33,5 @@ override.tf.json *.env **/secrets.tf -**/IaCSec_Resolution/** + diff --git a/src/final-assessment/IaCSec_Resolution/NetworkPolicy_CKV2_K8S_6.yaml b/src/final-assessment/IaCSec_Resolution/NetworkPolicy_CKV2_K8S_6.yaml new file mode 100644 index 0000000..8a33a0e --- /dev/null +++ b/src/final-assessment/IaCSec_Resolution/NetworkPolicy_CKV2_K8S_6.yaml @@ -0,0 +1,83 @@ +# Mail Network Policy +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: mail-service-network-policy + namespace: default +spec: + podSelector: + matchLabels: + role: mail-service + policyTypes: + - Ingress + - Egress + ingress: + - from: [] + ports: + - protocol: TCP + port: 995 + - protocol: TCP + port: 110 + egress: + - to: [] + ports: + - protocol: TCP + port: 465 + - protocol: TCP + port: 25 + - protocol: TCP + port: 26 + +--- + +# Default Network Policy +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-network-policy + namespace: default +spec: + podSelector: + matchLabels: + role: example-pod + policyTypes: + - Ingress + - Egress + ingress: + - from: [] + ports: + - protocol: TCP + port: 0 + + egress: + - to: [] + ports: + - protocol: TCP + port: 0 + +--- + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deployment-network-policy + namespace: default +spec: + podSelector: + matchLabels: + role: default-deployment + policyTypes: + - Ingress + - Egress + ingress: + - from: [] + ports: + - protocol: TCP + port: 0 + + egress: + - to: [] + ports: + - protocol: TCP + port: 0 + From e15f119862891287a849db1d838ed719f17dd3a0 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:06:14 +0200 Subject: [PATCH 19/38] CKV_K8S_37 --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 4 ++++ .../IaCSec/Kubernetes/pod_service_account.yml | 4 +++- src/final-assessment/IaCSec/Kubernetes/test_pod.yml | 4 +++- .../aws-infrastructure/cluster-aux-resources/example-pod.yaml | 4 ++++ src/final-assessment/IaCSec/iacsec-assessment.md | 2 ++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index a4210ce..7baafd1 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -45,6 +45,10 @@ spec: containers: - name: db-connector image: runcor3/db_connector:latest + securityContext: + capabilities: + drop: + - ALL ports: - containerPort: 8888 lifecycle: diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index e49d314..85eafd8 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -16,7 +16,9 @@ spec: value: internal-app command: ["sleep", "infinity"] securityContext: - runAsUser: 0 + capabilities: + drop: + - ALL resources: limits: cpu: "0.5" diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 189dae3..15aae49 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -10,7 +10,9 @@ spec: image: ubuntu command: ["sleep", "infinity"] securityContext: - runAsUser: 0 + capabilities: + drop: + - ALL resources: limits: cpu: "0.5" diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index daa2a5d..2daca20 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -8,4 +8,8 @@ spec: containers: - name: ubuntu-container image: ubuntu:latest + securityContext: + capabilities: + drop: + - ALL command: ["sleep", "3600"] \ No newline at end of file diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 30377b7..504afd9 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -22,6 +22,8 @@ Total (Checkov) = 341 - Ensure that SSH access is restricted from the internet CKV_AZURE_10 (commented Inbound SSH rule in Netwok Security Group (main.tf of Vault)) - Ensure that Storage blobs restrict public access CKV_AZURE_190 (public_network_access_enabled = false) - Ensure that AWS database instances have deletion protection enabled CKV_AWS_293 (deletion_protection = true) +- Minimize the admission of pods which lack an associated NetworkPolicy CKV_K8S_6 +- Minimize the admission of containers with capabilities assigned CKV_K8S_37 From e5335a21723fb0872003bacf7936c148db77f398 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:15:08 +0200 Subject: [PATCH 20/38] CKV_K8S_40 --- .../Kubernetes/db_connector_manifest.yml | 1 + .../Kubernetes/kubernetes_manifest_edited.yml | 24 +++++++++---------- .../IaCSec/Kubernetes/pod_service_account.yml | 1 + .../IaCSec/Kubernetes/test_pod.yml | 1 + .../cluster-aux-resources/example-pod.yaml | 1 + 5 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index 7baafd1..beddf5d 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -46,6 +46,7 @@ spec: - name: db-connector image: runcor3/db_connector:latest securityContext: + runAsUser: 20000 capabilities: drop: - ALL diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml index 607176d..7ec1ad3 100644 --- a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml @@ -38,7 +38,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -103,7 +103,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -177,7 +177,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -247,7 +247,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -355,7 +355,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -420,7 +420,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -485,7 +485,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -555,7 +555,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 initContainers: - command: - /bin/sh @@ -622,7 +622,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -687,7 +687,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: @@ -751,7 +751,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: redis securityContext: @@ -819,7 +819,7 @@ spec: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 20000 containers: - name: server securityContext: diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index 85eafd8..7ab5ef4 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -16,6 +16,7 @@ spec: value: internal-app command: ["sleep", "infinity"] securityContext: + runAsUser: 20000 capabilities: drop: - ALL diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 15aae49..8c1ff9c 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -10,6 +10,7 @@ spec: image: ubuntu command: ["sleep", "infinity"] securityContext: + runAsUser: 20000 capabilities: drop: - ALL diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index 2daca20..b7ba3cb 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -9,6 +9,7 @@ spec: - name: ubuntu-container image: ubuntu:latest securityContext: + runAsUser: 20000 capabilities: drop: - ALL From 14df30f7d5226b41407a1493e03a710d788221d7 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:28:22 +0200 Subject: [PATCH 21/38] Testing Seccomp profile in deployment --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 4 ++++ .../IaCSec/Kubernetes/pod_service_account.yml | 4 ++++ src/final-assessment/IaCSec/Kubernetes/test_pod.yml | 1 + .../aws-infrastructure/cluster-aux-resources/example-pod.yaml | 4 ++++ src/final-assessment/IaCSec/iacsec-assessment.md | 4 +++- 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index beddf5d..210ece1 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -42,10 +42,14 @@ spec: labels: app: db-connector spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: db-connector image: runcor3/db_connector:latest securityContext: + allowPrivilegeEscalation: false runAsUser: 20000 capabilities: drop: diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index 7ab5ef4..8fb266c 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -5,6 +5,9 @@ metadata: labels: role: example-pod spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: vault-service-account containers: - name: ubuntu @@ -17,6 +20,7 @@ spec: command: ["sleep", "infinity"] securityContext: runAsUser: 20000 + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 8c1ff9c..4f2a1ef 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -11,6 +11,7 @@ spec: command: ["sleep", "infinity"] securityContext: runAsUser: 20000 + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index b7ba3cb..a173675 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -5,10 +5,14 @@ metadata: labels: role: example-pod spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: ubuntu-container image: ubuntu:latest securityContext: + allowPrivilegeEscalation: false runAsUser: 20000 capabilities: drop: diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 504afd9..1caf03d 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -23,7 +23,9 @@ Total (Checkov) = 341 - Ensure that Storage blobs restrict public access CKV_AZURE_190 (public_network_access_enabled = false) - Ensure that AWS database instances have deletion protection enabled CKV_AWS_293 (deletion_protection = true) - Minimize the admission of pods which lack an associated NetworkPolicy CKV_K8S_6 -- Minimize the admission of containers with capabilities assigned CKV_K8S_37 +- Minimize the admission of containers with capabilities assigned CKV_K8S_37 (security context capabilities) +- Containers should run as a high UID to avoid host conflict CKV_K8S_40 (security context runAsUser) +- Containers should not run with allowPrivilegeEscalation CKV_K8S_20 (allowPrivilegeEscalation=false) From 94ca918f7e086ccb32e0abfbdd3b3a67335bc26b Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:33:07 +0200 Subject: [PATCH 22/38] Solving CKV_K8S_31 --- .../Kubernetes/kubernetes_manifest_edited.yml | 24 +++++++++++++++++++ .../IaCSec/Kubernetes/test_pod.yml | 3 +++ 2 files changed, 27 insertions(+) diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml index 7ec1ad3..47a9063 100644 --- a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml @@ -35,6 +35,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -100,6 +102,8 @@ spec: spec: serviceAccountName: default securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -174,6 +178,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -244,6 +250,8 @@ spec: spec: serviceAccountName: default securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -352,6 +360,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -417,6 +427,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -482,6 +494,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -552,6 +566,8 @@ spec: terminationGracePeriodSeconds: 5 restartPolicy: Always securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -619,6 +635,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -684,6 +702,8 @@ spec: spec: serviceAccountName: default securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -748,6 +768,8 @@ spec: app: redis-cart spec: securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true @@ -816,6 +838,8 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 4f2a1ef..28d15fa 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -5,6 +5,9 @@ metadata: labels: role: example-pod spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: ubuntu image: ubuntu From 2ff2a1d9795ff644d48348012fe0362818905d6a Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:45:30 +0200 Subject: [PATCH 23/38] configured readiness and liveness probes --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 13 +++++++++++++ src/final-assessment/IaCSec/Kubernetes/test_pod.yml | 13 +++++++++++++ .../cluster-aux-resources/example-pod.yaml | 13 +++++++++++++ src/final-assessment/IaCSec/iacsec-assessment.md | 1 + 4 files changed, 40 insertions(+) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index 210ece1..9c2bfb6 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -54,6 +54,19 @@ spec: capabilities: drop: - ALL + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 1 ports: - containerPort: 8888 lifecycle: diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 28d15fa..2311d97 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -18,6 +18,19 @@ spec: capabilities: drop: - ALL + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 1 resources: limits: cpu: "0.5" diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index a173675..c13e765 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -17,4 +17,17 @@ spec: capabilities: drop: - ALL + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 1 command: ["sleep", "3600"] \ No newline at end of file diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 1caf03d..ddaaac1 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -26,6 +26,7 @@ Total (Checkov) = 341 - Minimize the admission of containers with capabilities assigned CKV_K8S_37 (security context capabilities) - Containers should run as a high UID to avoid host conflict CKV_K8S_40 (security context runAsUser) - Containers should not run with allowPrivilegeEscalation CKV_K8S_20 (allowPrivilegeEscalation=false) +- Ensure that the seccomp profile is set to docker/default or runtime/default CKV_K8S_31 (seccomp_profile RuntimeDefault) From f083415ff4fca55b117d02e5e817e3686c5dcf03 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:49:03 +0200 Subject: [PATCH 24/38] readiness, liveness, limits, request --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 1 + .../IaCSec/Kubernetes/pod_service_account.yml | 1 + src/final-assessment/IaCSec/Kubernetes/test_pod.yml | 1 + .../cluster-aux-resources/example-pod.yaml | 8 ++++++++ 4 files changed, 11 insertions(+) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index 9c2bfb6..3b17b3b 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -49,6 +49,7 @@ spec: - name: db-connector image: runcor3/db_connector:latest securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsUser: 20000 capabilities: diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index 8fb266c..e3d76a3 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -19,6 +19,7 @@ spec: value: internal-app command: ["sleep", "infinity"] securityContext: + readOnlyRootFilesystem: true runAsUser: 20000 allowPrivilegeEscalation: false capabilities: diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 2311d97..48829a9 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -13,6 +13,7 @@ spec: image: ubuntu command: ["sleep", "infinity"] securityContext: + readOnlyRootFilesystem: true runAsUser: 20000 allowPrivilegeEscalation: false capabilities: diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index c13e765..db0829e 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -12,6 +12,7 @@ spec: - name: ubuntu-container image: ubuntu:latest securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsUser: 20000 capabilities: @@ -30,4 +31,11 @@ spec: port: 8080 initialDelaySeconds: 15 timeoutSeconds: 1 + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi command: ["sleep", "3600"] \ No newline at end of file From 3911a14d7ca98975b3b3e8b9ee481a39ed48750f Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:54:38 +0200 Subject: [PATCH 25/38] service account --- .../IaCSec/Kubernetes/pod_service_account.yml | 14 ++++++++++++++ .../IaCSec/Kubernetes/test_pod.yml | 1 + .../cluster-aux-resources/example-pod.yaml | 1 + 3 files changed, 16 insertions(+) diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index e3d76a3..3472d99 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -5,6 +5,7 @@ metadata: labels: role: example-pod spec: + automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault @@ -32,6 +33,19 @@ spec: volumeMounts: - name: shared-data mountPath: /data + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 1 volumes: - name: shared-data emptyDir: {} diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index 48829a9..f718b63 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -5,6 +5,7 @@ metadata: labels: role: example-pod spec: + automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index db0829e..71586bd 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -5,6 +5,7 @@ metadata: labels: role: example-pod spec: + automountServiceAccountToken: false securityContext: seccompProfile: type: RuntimeDefault From 886ac9c6b29e2ec0ef8ae463f555180937eb7124 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 12:58:57 +0200 Subject: [PATCH 26/38] suppressed checkov image alerts --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 2 ++ src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml | 2 ++ src/final-assessment/IaCSec/Kubernetes/test_pod.yml | 2 ++ .../aws-infrastructure/cluster-aux-resources/example-pod.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index 3b17b3b..7fa6059 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -47,6 +47,8 @@ spec: type: RuntimeDefault containers: - name: db-connector + #checkov:skip=CKV_K8S_43:No image digest + #checkov:skip=CKV_K8S_14:No image tag image: runcor3/db_connector:latest securityContext: readOnlyRootFilesystem: true diff --git a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml index 3472d99..e7f3045 100644 --- a/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml +++ b/src/final-assessment/IaCSec/Kubernetes/pod_service_account.yml @@ -12,6 +12,8 @@ spec: serviceAccountName: vault-service-account containers: - name: ubuntu + #checkov:skip=CKV_K8S_43:No image digest + #checkov:skip=CKV_K8S_14:No image tag image: ubuntu env: # - name: VAULT_ADDR diff --git a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml index f718b63..63e926e 100644 --- a/src/final-assessment/IaCSec/Kubernetes/test_pod.yml +++ b/src/final-assessment/IaCSec/Kubernetes/test_pod.yml @@ -12,6 +12,8 @@ spec: containers: - name: ubuntu image: ubuntu + #checkov:skip=CKV_K8S_43:No image digest + #checkov:skip=CKV_K8S_14:No image tag command: ["sleep", "infinity"] securityContext: readOnlyRootFilesystem: true diff --git a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml index 71586bd..324e182 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml +++ b/src/final-assessment/IaCSec/aws-infrastructure/cluster-aux-resources/example-pod.yaml @@ -11,6 +11,8 @@ spec: type: RuntimeDefault containers: - name: ubuntu-container + #checkov:skip=CKV_K8S_43:No image digest + #checkov:skip=CKV_K8S_14:No image tag image: ubuntu:latest securityContext: readOnlyRootFilesystem: true From e5097839daa7b9e447a03f25c4286bd433ea67f4 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 13:03:33 +0200 Subject: [PATCH 27/38] image pull policy --- .../IaCSec/Kubernetes/kubernetes_manifest_edited.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml index 47a9063..4180e2d 100644 --- a/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml +++ b/src/final-assessment/IaCSec/Kubernetes/kubernetes_manifest_edited.yml @@ -43,6 +43,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -110,6 +111,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -186,6 +188,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -258,6 +261,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -368,6 +372,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -435,6 +440,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -502,6 +508,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -597,6 +604,7 @@ spec: value: "frontend:80" containers: - name: main + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -643,6 +651,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -710,6 +719,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -776,6 +786,7 @@ spec: runAsUser: 20000 containers: - name: redis + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: @@ -846,6 +857,7 @@ spec: runAsUser: 20000 containers: - name: server + imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: From f1a18c49a16becfc50ec24d2392c6113c99eed4c Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 13:15:53 +0200 Subject: [PATCH 28/38] network security groups --- .../IaCSec/Vault-on-VM/main.tf | 5 ++++ .../IaCSec/mysql_database/mysql_database.tf | 26 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/src/final-assessment/IaCSec/Vault-on-VM/main.tf b/src/final-assessment/IaCSec/Vault-on-VM/main.tf index b753e6e..bd36dcd 100644 --- a/src/final-assessment/IaCSec/Vault-on-VM/main.tf +++ b/src/final-assessment/IaCSec/Vault-on-VM/main.tf @@ -253,6 +253,11 @@ resource "azurerm_network_interface_security_group_association" "tf_nisga" { network_security_group_id = azurerm_network_security_group.tf_nsg.id } +resource "azurerm_subnet_network_security_group_association" "example" { + subnet_id = azurerm_subnet.tf_subnet.id + network_security_group_id = azurerm_network_security_group.tf_nsg.id +} + resource "random_id" "tf_random_id" { keepers = { # Generate a new ID only when a new resource group is defined diff --git a/src/final-assessment/IaCSec/mysql_database/mysql_database.tf b/src/final-assessment/IaCSec/mysql_database/mysql_database.tf index 83c7ad5..c07c7b3 100644 --- a/src/final-assessment/IaCSec/mysql_database/mysql_database.tf +++ b/src/final-assessment/IaCSec/mysql_database/mysql_database.tf @@ -1,3 +1,4 @@ + resource "azurerm_virtual_network" "database_virtual_network" { name = "database_virtual_network" location = var.mysql_db_resource_group.location @@ -22,6 +23,31 @@ resource "azurerm_subnet" "database_vn_subnet" { } } +resource "azurerm_network_security_group" "db_network_nsg" { + name = "databaseNSG" + location = var.mysql_db_resource_group.location + resource_group_name = var.mysql_db_resource_group.name + + security_rule { + name = "InboundDBConnections" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3306" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource "azurerm_subnet_network_security_group_association" "example" { + subnet_id = azurerm_subnet.database_vn_subnet.id + network_security_group_id = azurerm_network_security_group.db_network_nsg.id +} + + + resource "azurerm_private_dns_zone" "database_dns_zone" { name = "databasemysqlmec.com" resource_group_name = var.mysql_db_resource_group.name From 70b04c90aadae20a195d724c1a5a57de80b4e864 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 14:41:58 +0200 Subject: [PATCH 29/38] CKV_AZURE_78 --- src/final-assessment/IaCSec/iacsec-assessment.md | 1 + src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf | 1 + 2 files changed, 2 insertions(+) diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index ddaaac1..076180d 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -27,6 +27,7 @@ Total (Checkov) = 341 - Containers should run as a high UID to avoid host conflict CKV_K8S_40 (security context runAsUser) - Containers should not run with allowPrivilegeEscalation CKV_K8S_20 (allowPrivilegeEscalation=false) - Ensure that the seccomp profile is set to docker/default or runtime/default CKV_K8S_31 (seccomp_profile RuntimeDefault) +- Ensure FTP deployments are disabled CKV_AZURE_78 (ftps_state) diff --git a/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf b/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf index d9c446d..5d1e630 100644 --- a/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf +++ b/src/final-assessment/IaCSec/keycloak_webapp/keycloak.tf @@ -27,6 +27,7 @@ resource "azurerm_linux_web_app" "keycloak-webapp" { site_config { always_on = false + ftps_state = "FtpsOnly" } depends_on = [ azurerm_service_plan.keycloak-sp ] From 9632bbfe1721c1c566fc9bb0883db495752d9287 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 14:46:05 +0200 Subject: [PATCH 30/38] Updated checkov severity log level --- .github/workflows/IaC_Sec_checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index 9c87089..8c8de93 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -38,6 +38,7 @@ jobs: #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} with: + check: 'MEDIUM,HIGH,CRITICAL' output_format: cli,sarif output_file_path: console,results.sarif From 918d7b6c7cfb446418e28a1e0b0e7e81915f28a8 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 14:48:08 +0200 Subject: [PATCH 31/38] Updated checkov severity log level #2 --- .github/workflows/IaC_Sec_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index 8c8de93..58bd8d6 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -38,7 +38,7 @@ jobs: #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} with: - check: 'MEDIUM,HIGH,CRITICAL' + check: 'LOW,MEDIUM,HIGH,CRITICAL' output_format: cli,sarif output_file_path: console,results.sarif From ab13197380acd1d9912bbd57437b6cac992e93f3 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 14:49:29 +0200 Subject: [PATCH 32/38] Updated checkov severity log level #3 --- .github/workflows/IaC_Sec_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_Sec_checks.yml b/.github/workflows/IaC_Sec_checks.yml index 58bd8d6..3dd772f 100644 --- a/.github/workflows/IaC_Sec_checks.yml +++ b/.github/workflows/IaC_Sec_checks.yml @@ -38,7 +38,7 @@ jobs: #if: ${{ steps.pr_status.outputs.data.state == 'open' || steps.pr_status.outputs.data.state == 'reopened' }} with: - check: 'LOW,MEDIUM,HIGH,CRITICAL' + #check: 'LOW,MEDIUM,HIGH,CRITICAL' output_format: cli,sarif output_file_path: console,results.sarif From 5490361b291f3744233c14b568dc7724fb2d8652 Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 15:15:59 +0200 Subject: [PATCH 33/38] assessment in gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 0edf9ff..a349cd3 100644 --- a/.gitignore +++ b/.gitignore @@ -33,5 +33,6 @@ override.tf.json *.env **/secrets.tf +**IaCSec/iacsec-assessment.md From d7de40336d22191c4c2786b01c861b4980d0c23b Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 15:16:48 +0200 Subject: [PATCH 34/38] assessment modified --- .../IaCSec/iacsec-assessment.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index 076180d..b8f536b 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -40,4 +40,25 @@ Search filter: pr:38 tool:checkov is:open sort:created-desc path:/src/final-asse - 37 Medium - 37 Low + +### HIGH +- Container allowing privileged sub processes | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) +- Container with NET_RAW capability | 🔴 High | 1 Occurrences +- Container with RunAsUser root or not set | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) +- Container with writable root file system | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) +- RDS - Instance Not Public Accessible | 🔴 High | 1 Occurrences + +### MEDIUM +- Container using image without digest | 🟠 Medium | 25 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) +- Container using latest image | 🟠 Medium | 3 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) +- Container with ANY capability | 🟠 Medium | 1 Occurrences +- Container with root group access | 🟠 Medium | 1 Occurrences +- KMS - Enabled CMKs Rotation | 🟠 Medium | 2 Occurrences +- Policies - Defined Containers Security Context | 🟠 Medium | 1 Occurrences +- Workload container default RunAsGroup root | 🟠 Medium | 1 Occurrences +- Workload missing CPU limit | 🟠 Medium | 3 Occurrences +- Workload missing memory limit | 🟠 Medium | 3 Occurrences +- Workload using "default" ServiceAccount | 🟠 Medium | 22 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) +- Workload with writable volumes | 🟠 Medium | 2 Occurrences + ## Run time of pipelines \ No newline at end of file From dca46b38f868a510aeaf04d1045714e011d251df Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 15:28:00 +0200 Subject: [PATCH 35/38] Sysdig Container with ANY capability and Container with root group access --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 5 +++-- src/final-assessment/IaCSec/iacsec-assessment.md | 14 +++++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index 7fa6059..f7c1e9c 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -54,9 +54,10 @@ spec: readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsUser: 20000 + runAsGroup: 3000 capabilities: - drop: - - ALL + drop: + - ALL livenessProbe: exec: command: diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index b8f536b..fe443aa 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -49,16 +49,16 @@ Search filter: pr:38 tool:checkov is:open sort:created-desc path:/src/final-asse - RDS - Instance Not Public Accessible | 🔴 High | 1 Occurrences ### MEDIUM -- Container using image without digest | 🟠 Medium | 25 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) -- Container using latest image | 🟠 Medium | 3 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) +- Container using image without digest | 🟠 Medium | 13 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) +- Container using latest image | 🟠 Medium | 2 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) - Container with ANY capability | 🟠 Medium | 1 Occurrences - Container with root group access | 🟠 Medium | 1 Occurrences - KMS - Enabled CMKs Rotation | 🟠 Medium | 2 Occurrences -- Policies - Defined Containers Security Context | 🟠 Medium | 1 Occurrences +- Policies - Defined Containers Security Context | 🟠 Medium | 1 Occurrences (SOLVED BY CHECKOV) - Workload container default RunAsGroup root | 🟠 Medium | 1 Occurrences -- Workload missing CPU limit | 🟠 Medium | 3 Occurrences -- Workload missing memory limit | 🟠 Medium | 3 Occurrences -- Workload using "default" ServiceAccount | 🟠 Medium | 22 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) -- Workload with writable volumes | 🟠 Medium | 2 Occurrences +- Workload missing CPU limit | 🟠 Medium | 2 Occurrences +- Workload missing memory limit | 🟠 Medium | 2 Occurrences +- Workload using "default" ServiceAccount | 🟠 Medium | 11 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) +- Workload with writable volumes | 🟠 Medium | 1 Occurrences ## Run time of pipelines \ No newline at end of file From 5970cc3268b653b0f8aabe4ca256486f452bf37b Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 15:36:29 +0200 Subject: [PATCH 36/38] modified runAsGroup --- .../IaCSec/Kubernetes/db_connector_manifest.yml | 2 +- src/final-assessment/IaCSec/iacsec-assessment.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml index f7c1e9c..17aa6e5 100644 --- a/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml +++ b/src/final-assessment/IaCSec/Kubernetes/db_connector_manifest.yml @@ -54,7 +54,7 @@ spec: readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsUser: 20000 - runAsGroup: 3000 + runAsGroup: {{.Value}} capabilities: drop: - ALL diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index fe443aa..f8a284d 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -43,7 +43,7 @@ Search filter: pr:38 tool:checkov is:open sort:created-desc path:/src/final-asse ### HIGH - Container allowing privileged sub processes | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) -- Container with NET_RAW capability | 🔴 High | 1 Occurrences +- Container with NET_RAW capability | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) - Container with RunAsUser root or not set | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) - Container with writable root file system | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) - RDS - Instance Not Public Accessible | 🔴 High | 1 Occurrences From 231852edaa90e5fa0742273736da1eb49c96cc5d Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 15:45:01 +0200 Subject: [PATCH 37/38] rds not accessible publicly --- src/final-assessment/IaCSec/aws-infrastructure/rds.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/final-assessment/IaCSec/aws-infrastructure/rds.tf b/src/final-assessment/IaCSec/aws-infrastructure/rds.tf index 6054c94..b43ff95 100644 --- a/src/final-assessment/IaCSec/aws-infrastructure/rds.tf +++ b/src/final-assessment/IaCSec/aws-infrastructure/rds.tf @@ -11,6 +11,7 @@ resource "aws_db_instance" "rds_db" { skip_final_snapshot = true //inserito solo per permettere una destroy immediata vpc_security_group_ids = [aws_security_group.db_plane_sg.id] deletion_protection = true + publicly_accessible = false backup_retention_period = 5 iam_database_authentication_enabled = true From 5c71aacb3a058a8e1c91515e55d091fcaed023bb Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti s297014 Date: Tue, 5 Sep 2023 15:47:58 +0200 Subject: [PATCH 38/38] Solved main checkov and sysdig detected issues --- src/final-assessment/IaCSec/iacsec-assessment.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/final-assessment/IaCSec/iacsec-assessment.md b/src/final-assessment/IaCSec/iacsec-assessment.md index f8a284d..27bf1f1 100644 --- a/src/final-assessment/IaCSec/iacsec-assessment.md +++ b/src/final-assessment/IaCSec/iacsec-assessment.md @@ -46,19 +46,19 @@ Search filter: pr:38 tool:checkov is:open sort:created-desc path:/src/final-asse - Container with NET_RAW capability | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) - Container with RunAsUser root or not set | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) - Container with writable root file system | 🔴 High | 1 Occurrences (SOLVED AFTER CHECKOV) -- RDS - Instance Not Public Accessible | 🔴 High | 1 Occurrences +- RDS - Instance Not Public Accessible | 🔴 High | 1 Occurrences (SOLVED publicly_accessible = false) ### MEDIUM - Container using image without digest | 🟠 Medium | 13 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) - Container using latest image | 🟠 Medium | 2 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) -- Container with ANY capability | 🟠 Medium | 1 Occurrences -- Container with root group access | 🟠 Medium | 1 Occurrences -- KMS - Enabled CMKs Rotation | 🟠 Medium | 2 Occurrences +- Container with ANY capability | 🟠 Medium | 1 Occurrences (SOLVED, bad formatting of securityContext capability) +- Container with root group access | 🟠 Medium | 1 Occurrences (Solved with runAsGroup capability) +- KMS - Enabled CMKs Rotation | 🟠 Medium | 2 Occurrences (NEGLECTED) - Policies - Defined Containers Security Context | 🟠 Medium | 1 Occurrences (SOLVED BY CHECKOV) -- Workload container default RunAsGroup root | 🟠 Medium | 1 Occurrences -- Workload missing CPU limit | 🟠 Medium | 2 Occurrences -- Workload missing memory limit | 🟠 Medium | 2 Occurrences +- Workload container default RunAsGroup root | 🟠 Medium | 1 Occurrences (Solved with runAsGroup capability) +- Workload missing CPU limit | 🟠 Medium | 2 Occurrences (NEGLECTED) +- Workload missing memory limit | 🟠 Medium | 2 Occurrences (NEGLECTED) - Workload using "default" ServiceAccount | 🟠 Medium | 11 Occurrences (DETECTED BY CHECKOV TOO, NEGLIGIBLE) -- Workload with writable volumes | 🟠 Medium | 1 Occurrences +- Workload with writable volumes | 🟠 Medium | 1 Occurrences (NEGLECTED) ## Run time of pipelines \ No newline at end of file